Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

DoS by SMTP AUTH command in IPSwitch IMail server

From: SAKAI Yoriyuki <sakai () LAC CO JP>
Date: Thu, 7 Dec 2000 10:41:17 +0900
Dear folks,

I found a kind of DoS to handle SMTP AUTH command in IPSwitch IMail
server version 6.0.5.
IPSwitch ships a product titled IMail, an email server for usage on NT
servers serving SMTP, POP3, IMAP4, LDAP etc.
It supports SMTP AUTH commands (RFC2554) and several authenticate methods
to relay/accept e-mail.

Problem Description
-------------------
I put passwords over 80 bytes and less than 136 bytes in BASE64 format,
the smtp server of IMail stop to response. No new SMTP sessions are
able to created from local and remote. In this case, the length of
password made a problem, no value matters.

Example of Issue:
HELO myhost
250 hello target
AUTH LOGIN
334 VXNlcm5hbWU6 (Put BASE64ed user name)
334 UGFzc3dvcmQ6
(Put BASE64ed user password over 80 bytes and less than 136 bytes;
the length of password is proximal.)
(The connection is disconnected.)

When I put over about 136 bytes for password, the server responds
the status of "552"(command exceeds maximum length) and continue
to work.
If the length of password is less than 80 bytes, it works normally.

Remotely Exploitable
--------------------
                Yes

Locally Exploitable
--------------------
                Yes

Tested Version of IMail
-----------------------
6 Gold (Japanese; No minor version is available)
6.0.5 (English)

Tested on
---------
Windows NT 4.0 Server SP6a (Japanese/English)
Windows 2000 Server (No SPs) (Japanese/English)
Windows 2000 Server SP1 (Japanese/English)

Status of fixes
---------------
        I had reported this issue at 2000/Nov/15 and discussed this
issue. IPSwitch has not release a patch yet.
I hope a fix program will be released as soon as possible.

Status of fixes (Japanese Version)
---------------------------------
        I also reported this issue to Japanese distributor of IMail
at 2000/Nov/15, but when I reported I used the evaluation version of
IMail, they closed all responses. Their artitude is contrastive to
IPSwitch's. I'd only wanted to exam what kind of bugs are still
in the current version of IMail and wanted to make a short report
to our customer.
I wonder whether they really mean the evaluation copy is for
the sake of evaluation and all vulnerability must be reported by
the current customer.

--
  SAKAI Yoriyuki / SNS (SecureNetService)Team / LAC Co., Ltd.
  sakai () lac co jp
  http://www.lac.co.jp/security/
Previous By Date Next
Previous By Thread Next

Current thread: