SecurityTracker.com Archives - MailEnable IMAP RENAME Command Lets Remote Authenticated Users Deny Service

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Server) > MailEnable

Vendors: MailEnable Pty. Ltd.

MailEnable IMAP RENAME Command Lets Remote Authenticated Users Deny Service

SecurityTracker Alert ID: 1015268

SecurityTracker URL: http://securitytracker.com/id?1015268

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Nov 24 2005

Impact: Denial of service via network

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): MailEnable Pro 1.7; MailEnable Enterprise 1.1

Description: A vulnerability was reported in MailEnable. A remote authenticated user can cause denial of service conditions.

A remote authenticated user can send a specially crafted IMAP RENAME request with a non-existent mailbox name to cause the target IMAP service to crash.

A demonstration exploit transcript is provided:

telnet localhost 143
a1 login josh byebye
a2 rename foo bar

The vendor was notified on November 24, 2005.

Josh Zlatin-Amishav reported this vulnerability.

The original advisory is available at:

http://zur.homelinux.com/Advisories/MailEnableImapDos.txt

Impact: A remote authenticated user can cause the target IMAP service to crash.

Solution: The vendor has issued a fix:

http://www.mailenable.com/hotfix/MEIMAPS.ZIP

Vendor URL: www.mailenable.com/ (Links to External Site)

Cause: Exception handling error

Underlying OS: Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Reported By: Josh Zlatin <jzlatin@ramat.cc>

Message History: None.

Source Message Contents

Date: Thu, 24 Nov 2005 08:54:33 -0500 (EST)
From: Josh Zlatin <jzlatin@ramat.cc>
Subject: [Full-disclosure] MailEnable IMAP DOS

 
Synopsis: MailEnable Imap Remote DOS.

Product: MailEnable Pro
          MailEnable Enterprise
          http://www.mailenable.com

Version: Confirmed on MailEnable Pro 1.7 and MailEnable Enterprise 1.1

Author: Josh Zlatin-Amishav

Date: November 24, 2005

Background:
MailEnable's mail server software provides a powerful, scalable hosted 
messaging platform for Microsoft Windows. MailEnable offers stability, 
unsurpassed flexibility and an extensive feature set which allows you to 
provide cost-effective mail services.

Issue:
In working with researchers at Tenable Network Security, I have come across
a Denial of Service attack in the MailEnable Pro and MailEnable Enterprise
IMAP server. It is possible to remotely crash the IMAP server by sending a 
rename request with non existant mailbox names

PoC:
telnet localhost 143
a1 login josh byebye
a2 rename foo bar

where josh and byebye are the login credentials for an existing mailbox.

Vendor notified: November 24, 2005 10:50AM
Patch released:  November 24, 2005 13:28PM

Solution:
Download patch from: http://www.mailenable.com/hotfix/MEIMAPS.ZIP

To install:
1) Stop the IMAP service
2) Rename the MEIMAPS.EXE file in the Mail Enable\bin directory as this will
    allow you to roll back this fix
3) Extract the zip file from the URL above to the Mail Enable\bin directory
4) Start the IMAP service

References: http://zur.homelinux.com/Advisories/MailEnableImapDos.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2005, SecurityGlobal.net LLC