Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   IMail Server Vendors:   Ipswitch
Ipswitch's IMail Server May Give Remote Users System Level Access on the Server
SecurityTracker Alert ID:  1001428
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 25 2001
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): IMail Server 6.06; possibly earlier versions
Description:   eEye Digital Security released an advisory for Ipswitch's IMail Server announcing that it allows remote users to gain system level privileges on the server.

According to the report, the vulnerability is due to the lack of proper bounds checking on certain input data that is passed by the SMTP daemon to the "IMail Mailing List" code.

To trigger the vulnerability and cause arbitrary code to be executed, the remote user must know the name of a valid mailing list on the server (which can reportedly be obtained by querying the server). An SMTP session with the server, where mail is destined to a valid mailing list and where a specially formatted command is supplied to the server, can cause arbitrary code to be executed.

eEye Digital Security intends to post an exploit to their web site at some point in the future.

Impact:   A remote user can execute arbitrary code on the server with system level privileges.
Solution:   The vendor has released a patch. See the vendor URL.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents

Subject:  IPSwitch IMail 6.06 SMTP Remote System Access Vulnerability

IPSwitch IMail 6.06 SMTP Remote System Access Vulnerability

Release Date:
April 24, 2001


Systems Affected:
Systems running IPSwitch's IMail 6.06 SMTP daemon. Prior versions are most
likely vulnerable.

There exists a vulnerability within IMail that allows remote attackers to
vulnerability stems from the IMail SMTP daemon not doing proper bounds
checking on various input data that gets passed to the IMail Mailing List
handler code. If an attacker crafts a special buffer and sends it to a
remote IMail SMTP server its possible that an attacker can remotely execute
code (commands) on the IMail system.

In order to overwrite EIP you must know the name of a valid mailing list.
IMail will happily provide you with a list of mailing lists by sending an eMail with the word "list" (without the quotes) in
the body of an eMail msg. Now take any valid mailing list name and put it
into the following SMTP session request and you will succesfully cause a
buffer overflow to happen within the IMail service which, if you supply a
specially crafted buffer, will result in the ability to remotely execute
code on the IMail server.

Client SMTP Session -> IMAIL SMTP
helo eeyerulez
mailfrom: <>
rcpt to: valid_mailing_list
From: [buffer]
To: Whatever
Where [buffer] is 829 or so characters.

Check back to the eEye website as we will post an exploit at some point.

Riley Hassell
Marc Maiffret

Vendor Status:
We would like to thank the people at IPSWITCH for immediately making this a
priority and releasing a patch very quickly. In fact IMail was able to get a
corrective patch out within two days of contacting them. That sort of vendor
response should be standard throughout the industry.
Users of IMail may download the IMail patches from:

Related Links:
eEye Digital Security

For all the people who have made life more interesting.
KAM, K2, Zen-Parse, Lamagra, Roland Postle, lsd from Poland and Martha

Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail for

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Please send suggestions, updates, and comments to:

eEye Digital Security


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC