SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SPA-PRO Mail @Solomon Vendors:   E-POST Corporation
SPA-PRO Mail @Solomon Input Validation Hole Discloses Files to Remote Users and Buffer Overflow Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014095
SecurityTracker URL:  http://securitytracker.com/id/1014095
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 2 2005
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.00 (SPA-IMAP4S 4.01)
Description:   Tan Chew Keong from SIG^2 Vulnerability Research reported some vulnerabilities in SPA-PRO Mail @Solomon. A remote authenticated user can view a target user's mail. A remote authenticated user can execute arbitrary code on the target system.

The mail server does not properly validate user-supplied IMAP folder names. A remote authenticated user can submit a specially crafted IMAP folder name containing directory traversal characters to view a target user's e-mail, create new directories, delete empty directories, and rename directories on the target system. The SELECT, CREATE, DELETE and RENAME commands are affected.

A remote authenticated user can supply a specially crafted folder name as part of the CREATE command to trigger a buffer overflow within the IMAP service. Arbitrary code can be executed.

The vendor was notified on May 28, 2005.

The original advisory is available at:

http://www.security.org.sg/vuln/spa-promail4.html
http://www.security.org.sg/vuln/spa-promail4-jp.html

Impact:   A remote authenticated user can view a target user's mail, create new directories, delete empty directories, and rename directories on the target system.

A remote authenticated user can cause the IMAP service to crash or execute arbitrary code.

Solution:   The vendor has issued a fixed version (4.05) of the SPA-IMAP4S component of SPA-PRO Mail @Solomon.
Vendor URL:  www.e-postinc.jp/solomon.html (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] SPA-PRO Mail @Solomon IMAP Server Directory Traversal


SIG^2 Vulnerability Research Advisory

SPA-PRO Mail @Solomon IMAP Server Directory Traversal and Buffer 
Overflow Vulnerabilities

by Tan Chew Keong
Release Date: 02 Jun 2005


ADVISORY URL
http://www.security.org.sg/vuln/spa-promail4.html
http://www.security.org.sg/vuln/spa-promail4-jp.html


SUMMARY

SPA-PRO Mail @Solomon (http://www.e-postinc.jp/solomon.html) is a stable 
and high speed mail server that supports multiple domains. It is low 
cost, easy to setup, and has low maintenance cost as compared to other 
products. It is best suited for use as departmental mail server, in 
medium enterprises, in educational institutes, and by hosting companies.

A directory traversal vulnerability was found in SPA-PRO Mail @Soloman's 
IMAP service. This vulnerability may be exploited by a malicious user to 
view other user's email, create arbitrary directories on the server, 
delete empty directories on the server, and/or rename directories on the 
server. A buffer overflow vulnerability also exists. This vulnerability 
is triggered when the IMAP service receives an overly long folder name 
in the create command. This vulnerability may be exploited to crash the 
IMAP service or to execute arbitrary code.


TESTED SYSTEM

SPA-PRO Mail @Solomon Version 4.00 (SPA-IMAP4S 4.01) on Japanese Win2K SP4.


DETAILS

This advisory documents two vulnerabilities found in the IMAP server of 
SPA-PRO Mail @Soloman. The first is a directory traversal vulnerability. 
The second is a buffer oveflow vulnerability.

1. Multiple Commands Directory Traversal Vulnerability.

In the default installation of SPA-PRO Mail @Solomon, the users' IMAP 
folders are stored in subdirectories under C:\mail\. SPA-PRO Mail 
@Solomon failed to sanitize received IMAP folder names that have 
directory traversal sequences containing the forward-slash and the 
back-slash characters. Several IMAP commands are affected including 
SELECT, CREATE, DELETE and RENAME. This may be exploited in a directory 
traversal attack by a malicious user to view other user's email, create 
arbitrary directories on the server, delete empty directories on the 
server, and/or rename directories on the server.

2. Create Command Buffer Overflow Vulnerability.

A buffer overflow vulnerability is triggered when the IMAP service 
receives an overly long folder name in the create command. This may be 
exploited to crash the IMAP service or to execute arbitrary code.


PATCH

Upgrade the SPA-IMAP4S component of SPA-PRO Mail @Solomon to version 4.05.


DISCLOSURE TIMELINE

27 May 05 - Vulnerability Discovered.
28 May 05 - Initial Vendor Notification.
28 May 05 - Initial Vendor Reply.
29 May 05 - Sent Vulnerability Report to Vendor.
30 May 05 - Re-sent Vulnerability Report to Vendor.
30 May 05 - Vendor Provided SPA-IMAP4S Version 4.03 for Testing.
31 May 05 - Informed Vendor that Directory Traversal Vulnerability is 
not Fully Fixed and Informed Vendor of Buffer Overflow Vulnerability.
31 May 05 - Vendor Provided SPA-IMAP4S Version 4.04 for Testing.
31 May 05 - Informed Vendor that Directory Traversal Vulnerability is 
still not Fully Fixed.
31 May 05 - Vendor Provided SPA-IMAP4S Version 4.05, which fixes the 
vulnerability.
02 Jun 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC