[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : DoS by SMTP AUTH command in IPSwitch IMail server

Title: DoS by SMTP AUTH command in IPSwitch IMail server
Released by: Sakai Yoriyuki
Date: 8th December 2000
Printable version: Click here
Dear folks,



I found a kind of DoS to handle SMTP AUTH command in IPSwitch IMail

server version 6.0.5.

IPSwitch ships a product titled IMail, an email server for usage on NT

servers serving SMTP, POP3, IMAP4, LDAP etc.

It supports SMTP AUTH commands (RFC2554) and several authenticate methods

to relay/accept e-mail.



Problem Description

-------------------

I put passwords over 80 bytes and less than 136 bytes in BASE64 format,

the smtp server of IMail stop to response. No new SMTP sessions are

able to created from local and remote. In this case, the length of

password made a problem, no value matters.



Example of Issue:

HELO myhost

250 hello target

AUTH LOGIN

334 VXNlcm5hbWU6 (Put BASE64ed user name)

334 UGFzc3dvcmQ6

(Put BASE64ed user password over 80 bytes and less than 136 bytes;

the length of password is proximal.)

(The connection is disconnected.)



When I put over about 136 bytes for password, the server responds

the status of "552"(command exceeds maximum length) and continue

to work.

If the length of password is less than 80 bytes, it works normally.



Remotely Exploitable

--------------------

Yes



Locally Exploitable

--------------------

Yes



Tested Version of IMail

-----------------------

6 Gold (Japanese; No minor version is available)

6.0.5 (English)



Tested on

---------

Windows NT 4.0 Server SP6a (Japanese/English)

Windows 2000 Server (No SPs) (Japanese/English)

Windows 2000 Server SP1 (Japanese/English)



Status of fixes

---------------

I had reported this issue at 2000/Nov/15 and discussed this

issue. IPSwitch has not release a patch yet.

I hope a fix program will be released as soon as possible.



Status of fixes (Japanese Version)

---------------------------------

I also reported this issue to Japanese distributor of IMail

at 2000/Nov/15, but when I reported I used the evaluation version of

IMail, they closed all responses. Their artitude is contrastive to

IPSwitch's. I'd only wanted to exam what kind of bugs are still

in the current version of IMail and wanted to make a short report

to our customer.

I wonder whether they really mean the evaluation copy is for

the sake of evaluation and all vulnerability must be reported by

the current customer.



--

  SAKAI Yoriyuki / SNS (SecureNetService)Team / LAC Co., Ltd.

  sakai@lac.co.jp

  http://www.lac.co.jp/security/








(C) 1999-2000 All rights reserved.