|
E-Post Mail Server Products Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA18480
|
|
|
Release Date:
|
2006-01-25
|
|
Last Update:
|
2006-01-31
|
|
Popularity:
|
7,158 views
|
|
|
Critical:
|
Highly critical
|
|
Impact:
|
Security Bypass
Exposure of system information
DoS
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | E-Post Mail Server 4.x
E-Post Mail Server Enterprise 4.x
E-Post SMTP Server 4.x
E-Post SMTP Server Enterprise 4.x
SPA-PRO Mail @Solomon 4.x
SPA-PRO Mail @Solomon Enterprise 4.x
SPA-PRO SMTP @Solomon 4.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
| | CVE reference: | CVE-2006-0447
CVE-2006-0448
CVE-2006-0449
|
|
Description:
Secunia Research has discovered some vulnerabilities in various E-Post Mail Server products, which can be exploited by malicious users to bypass certain security restrictions, gain knowledge of certain system information, and cause a DoS (Denial of Service), or by malicious people to compromise a vulnerable system.
1) A boundary error exists in the SMTP service in the handling of the username supplied to the AUTH PLAIN and AUTH LOGIN commands. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution via an overly long username.
The vulnerability has been confirmed in EPSTRS.EXE version 4.18 and 4.19, and in SPA-RS.EXE version 4.12. Other versions may also be affected.
2) A boundary error exists in the POP3 service in the handling of the username supplied to the APOP command. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution via an overly long username.
The vulnerability has been confirmed in EPSTPOP4S.EXE version 4.03, and in SPA-POP3S.EXE version 4.03. Other versions may also be affected.
3) A boundary error exists in the IMAP service in the handling of the mailbox name passed to the DELETE command. This can be exploited to crash the server via an overly long mailbox name.
4) An input validation error exists in the IMAP service in the handling of the arguments passed to the LIST command. This can be exploited to obtain directory listings of arbitrary folders on the server with privileges of the IMAP service via directory traversal attacks. It is possible to cause the service to crash by listing certain directories.
5) Input validation errors exist in the IMAP service in the handling of the APPEND, COPY, and RENAME commands. This can be exploited by malicious users to create ".MSG" files and arbitrary directories outside of the mail directory with privileges of the IMAP process via directory traversal attacks.
6) An infinite loop error exists in IMAP service in the handling of the APPEND command. This can be exploited by sending an APPEND command to the service and terminating the connection without sending the expected amount of data.
Successful exploitation causes the IMAP server to consume a large amount of CPU resources, potentially causing a DoS.
Vulnerabilities #3, #4, #5, and #6 have been confirmed in EPSTIMAP4S.EXE version 4.05 and in SPA-IMAP4S.EXE version 4.05. Prior versions may also be affected.
The vulnerabilities affect the following products.
* E-Post Mail Server Enterprise 4.10
* E-Post Mail Server 4.10
* E-Post SMTP Server Enterprise 4.10
* E-Post SMTP Server 4.10
* SPA-PRO Mail @Solomon Enterprise 4.00
* SPA-PRO Mail @Soloman 4.00
* SPA-PRO SMTP @Soloman 4.00
Solution:
Apply patches.
E-Post Mail Server Enterprise 4.10:
http://www.e-postinc.jp/bin/jp-mail@epostmsent20060117.exe
E-Post Mail Server 4.10:
http://www.e-postinc.jp/bin/jp-mail@epostmsstd20060117.exe
E-Post SMTP Server Enterprise 4.10:
http://www.e-postinc.jp/bin/jp-mail@epostssent20060117.exe
E-Post SMTP Server 4.10:
http://www.e-postinc.jp/bin/jp-mail@epostssstd20060117.exe
SPA-PRO Mail @Solomon Enterprise 4.00:
http://www.e-postinc.jp/bin/jp-mail@solomon20060117.exe
SPA-PRO Mail @Soloman 4.00:
http://www.e-postinc.jp/bin/jp-mail@solomon20060117.exe
SPA-PRO SMTP @Soloman 4.00:
http://www.e-postinc.jp/bin/jp-smtp@solomon20060117.exe
Note: The vulnerabilities have been fixed in following components.
* EPSTRS.EXE version 4.21
* EPSTPOP3S.EXE version 4.06
* EPSTIMAP4S.EXE version 4.07
* SPA-RS.EXE version 4.13
* SPA-POP3S.EXE version 4.04
* SPA-IMAP4S.EXE 4.06
Provided and/or discovered by:
Tan Chew Keong, Secunia Research.
Changelog:
2006-01-31: Added CVE references.
Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2006-1/
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
8th Jan, 2009
|
New advisories:
|
24 |
|
New vulnerabilities:
|
99 |
|
Updated advisories:
|
26 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
