Buffer Overflow Vulnerability Found in MailMax Version 5 http://www.smartmax.com Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY This is a scalable e-mail server that supports SMTP, IMAP4 and POP3 protocols. Its TCP/IP GUI allows server administration from any Internet connected server. The Web Admin module allows you to define domain administrators so they can Maintain their own accounts. It also provides anti-spamming options. The problem is a Buffer Overflow in the IMAP4 protocol, within the IMAP4rev1 SmartMax IMAPMax 5, causing the service to stop responding. -----[AFFECTED SYSTEMS Vulnerable systems: * IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.6 and 5.0.10.7) Immune systems: * IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.8) * IMAP4rev1 SmartMax IMAPMax 5.5 -----[SEVERITY Medium - An attacker is able to cause a DoS attack on the IMAP protocol But it has no effect on the rest of the system. -----[DESCRIPTION OF WHAT THE VULNERABILITY IS The Vulnerability is a Buffer Overflow in the IMAP4rev1 SmartMax IMAPMax 5 When a malicious attacker sends a large amount into the password field, in The login procedure. The following transcript demonstrates a sample exploitation of the Vulnerabilities: ----------------------------- [Transcript] ----------------------------- nc 127.0.0.1 143 * OK IMAP4rev1 SmartMax IMAPMax 5 Ready 0000 CAPABILITY * CAPABILITY IMAP4rev1 0000 OK CAPABILITY completed 0001 LOGIN "mail@mail.com" "A..[50] ..A" 0001 NO Invalid user name or password. 0001 NO Invalid user name or password. ----------------------------- [Transcript] ----------------------------- When this attack is used there will pop-up a message box on the server, with the text "Buffer overrun detected! - Program: \IMAPMax.exe" at this time the service shuts down, and has to be restarted manually, from the service manager. -----[DETECTION IMAP4rev1 SmartMax IMAPMax 5 is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[WORK AROUNDS * With this vulnerable version of IMAP, the only workaround is to disable the IMAP4rev1 SmartMax IMAPMax 5 service, there are no workaround in the configuration. * SmartMax has released a patched version of IMAPMax.exe version 5.0.10.8 which corrects the problem. It can be downloaded at ftp://ftp.smartmax.com/updates/MailMax 5.0/Files/ Remember to ensure that the file version is 5.0.10.8 or higher. * Update your MailMax Version 5 to the released version 5.5 -----[VENDOR RESPONSE Thank you for the buffer overrun security notification in our ImapMax module for MailMax 5. I'm enclosing an updated IMAPMAX which fixes the buffer overflow vulnerability? We'll be posting this in our MailMax 5.5 update next week. Regards, Eric Weber -----[DISCLOSURE TIMELINE 25/03/2003 Found the Vulnerability, and made an analysis. 27/03/2003 Reported to Vendor (sales@smartmax.com, features@smartmax.com, support@smartmax.com). 27/03/2003 Vendor reply, they now know of the vulnerabilities. 27/03/2003 Vendor send a patch (Version 5.0.10.7) of the IMAPMax.exe still contains the vulnerability. 27/03/2003 Received version 5.0.10.8 from Vendor. 27/03/2003 Tested version 5.0.10.8 from vendor, and this version is not vulnerable. 27/03/2003 Fix made public. 11/04/2003 Public Disclosure. -----[ADDITIONAL INFORMATION The vulnerability was discovered and reported by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.