Bugtraq mailing list archives
DoS by SMTP AUTH command in IPSwitch IMail server
From: SAKAI Yoriyuki <sakai () LAC CO JP>
Date: Thu, 7 Dec 2000 10:41:17 +0900
Dear folks, I found a kind of DoS to handle SMTP AUTH command in IPSwitch IMail server version 6.0.5. IPSwitch ships a product titled IMail, an email server for usage on NT servers serving SMTP, POP3, IMAP4, LDAP etc. It supports SMTP AUTH commands (RFC2554) and several authenticate methods to relay/accept e-mail. Problem Description ------------------- I put passwords over 80 bytes and less than 136 bytes in BASE64 format, the smtp server of IMail stop to response. No new SMTP sessions are able to created from local and remote. In this case, the length of password made a problem, no value matters. Example of Issue: HELO myhost 250 hello target AUTH LOGIN 334 VXNlcm5hbWU6 (Put BASE64ed user name) 334 UGFzc3dvcmQ6 (Put BASE64ed user password over 80 bytes and less than 136 bytes; the length of password is proximal.) (The connection is disconnected.) When I put over about 136 bytes for password, the server responds the status of "552"(command exceeds maximum length) and continue to work. If the length of password is less than 80 bytes, it works normally. Remotely Exploitable -------------------- Yes Locally Exploitable -------------------- Yes Tested Version of IMail ----------------------- 6 Gold (Japanese; No minor version is available) 6.0.5 (English) Tested on --------- Windows NT 4.0 Server SP6a (Japanese/English) Windows 2000 Server (No SPs) (Japanese/English) Windows 2000 Server SP1 (Japanese/English) Status of fixes --------------- I had reported this issue at 2000/Nov/15 and discussed this issue. IPSwitch has not release a patch yet. I hope a fix program will be released as soon as possible. Status of fixes (Japanese Version) --------------------------------- I also reported this issue to Japanese distributor of IMail at 2000/Nov/15, but when I reported I used the evaluation version of IMail, they closed all responses. Their artitude is contrastive to IPSwitch's. I'd only wanted to exam what kind of bugs are still in the current version of IMail and wanted to make a short report to our customer. I wonder whether they really mean the evaluation copy is for the sake of evaluation and all vulnerability must be reported by the current customer. -- SAKAI Yoriyuki / SNS (SecureNetService)Team / LAC Co., Ltd. sakai () lac co jp http://www.lac.co.jp/security/
Current thread:
- DoS by SMTP AUTH command in IPSwitch IMail server SAKAI Yoriyuki (Dec 08)
- Re: DoS by SMTP AUTH command in IPSwitch IMail server SAKAI Yoriyuki (Dec 22)