SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   IMail Server Vendors:   Ipswitch
Ipswitch's IMail Server Buffer Overflow in LDAP Service Lets Remote Users Execute Arbitrary Code with SYSTEM Level Privileges
SecurityTracker Alert ID:  1004332
SecurityTracker URL:  http://securitytracker.com/id/1004332
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 21 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.1 and prior versions
Description:   A buffer overflow vulnerability was reported in the LDAP server component of Ipswitch's IMail Server. A remote user may be able to execute arbitrary code with SYSTEM level privileges.

Foundstone issued an advisory warning that a remote user can supply a specially crafted string to the "bind DN" parameter when "binding" to the server with simple authentication to trigger the buffer overflow. The specially crafted string can overwrite the saved return address and execute arbitrary code in the LDAP process.

The code will run with the privileges of the IMail daemon, which is reported to be SYSTEM level privileges in the default configuration.

Impact:   A remote user can cause arbitrary code to be executed on the server, possibly with SYSTEM level privileges (depending on how the system is configured).
Solution:   The vendor has issued a hotfix for users running 7.10 (7.10 Hotfix 1), available at:

http://www.ipswitch.com/Support/IMail/patch-upgrades.html

Customers running earlier versions should contact their customer support representative to obtain the appropriate patches.

Vendor URL:  www.ipswitch.com/Support/IMail/patch-upgrades.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Foundstone Advisory - Buffer Overflow in Ipswitch Imail 7.1 and



---------- Forwarded message ----------
Date: Mon, 20 May 2002 13:24:26 -0700
From: Foundstone Labs <labs@foundstone.com>
To: da@securityfocus.com
Subject: Foundstone Advisory - Buffer Overflow in Ipswitch Imail 7.1 and
    prior

Please disregard the previous email.
Can you please forward this to the bugtraq mailing list?

            Thanks,
            Marshall Beddoe

-----------------------------------------------------------------------------
FS Advisory ID:           FS-052002-21-IPIM

Release Date:               May 20, 2002

Product:                       IMail Server

Vendor:                        Ipswitch (http://www.ipswitch.com)

Vendor Advisory:         See vendor's website

Type:                            Buffer Overflow

Severity:                       High

Author:                         Foundstone, Inc (http:/www.foundstone.com)

Operating Systems:       Windows 2000 / XP

Vulnerable Versions:     7.1 and prior

Foundstone Advisory:   http://www.foundstone.com/advisories.htm
-----------------------------------------------------------------------------

Description:

            A buffer overflow exists in the LDAP component of Ipswitch's IMail
            software suite.  Exploitation of this vulnerability allows remote
            execution of arbitrary code with the privileges of the IMail daemon
            (default is SYSTEM).

Details:

            The IMail server ships with several components including an LDAP
            service.  The LDAP server allows a remote client read access to
            the IMail directory.  A vulnerability exists during the authentication
            process which allows an outside attacker remote access to the
            server with the privileges of the SYSTEM account.

            When "binding" to the server with simple authentication a "bind DN"
            and password can be specified.  By providing an overly long string to
            the "bind DN" parameter, it is possible to overwrite the saved return
            address, control the instruction pointer and execute arbitrary code in
            the remote process.

Solution:

            Refer to the advisory published by Ipswitch at

http://www.ipswitch.com/Support/IMail/patch-upgrades.html

            Customers should obtain upgraded software by contacting their customer
            support representative to receive the required patches.

Credits:

            Foundstone would like to thank Ipswitch for their prompt response and
            handling of this problem.

Disclaimer:

            The information contained in this advisory is copyright (c) 2002
            Foundstone, Inc. and is believed to be accurate at the time of
            publishing, but no representation of any warranty is given, express, or
            implied as to its accuracy or completeness.  In no event shall the
            author or Foundstone be liable for any direct, indirect, incidental,
            special, exemplary or consequential damages resulting from the use or
            misuse of this information.  This advisory may be redistributed,
            provided that no fee is assigned and that the advisory is not modified
            in any way.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC