Secunia Research has discovered some vulnerabilities in various E-Post Mail Server products, which can be exploited by malicious users to bypass certain security restrictions, gain knowledge of certain system information, and cause a DoS (Denial of Service), or by malicious people to compromise a vulnerable system.

1) A boundary error exists in the SMTP service in the handling of the username supplied to the AUTH PLAIN and AUTH LOGIN commands. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution via an overly long username.

The vulnerability has been confirmed in EPSTRS.EXE version 4.18 and 4.19, and in SPA-RS.EXE version 4.12. Other versions may also be affected.

2) A boundary error exists in the POP3 service in the handling of the username supplied to the APOP command. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution via an overly long username.

The vulnerability has been confirmed in EPSTPOP4S.EXE version 4.03, and in SPA-POP3S.EXE version 4.03. Other versions may also be affected.

3) A boundary error exists in the IMAP service in the handling of the mailbox name passed to the DELETE command. This can be exploited to crash the server via an overly long mailbox name.

4) An input validation error exists in the IMAP service in the handling of the arguments passed to the LIST command. This can be exploited to obtain directory listings of arbitrary folders on the server with privileges of the IMAP service via directory traversal attacks. It is possible to cause the service to crash by listing certain directories.

5) Input validation errors exist in the IMAP service in the handling of the APPEND, COPY, and RENAME commands. This can be exploited by malicious users to create ".MSG" files and arbitrary directories outside of the mail directory with privileges of the IMAP process via directory traversal attacks.

6) An infinite loop error exists in IMAP service in the handling of the APPEND command. This can be exploited by sending an APPEND command to the service and terminating the connection without sending the expected amount of data.

Successful exploitation causes the IMAP server to consume a large amount of CPU resources, potentially causing a DoS.

Vulnerabilities #3, #4, #5, and #6 have been confirmed in EPSTIMAP4S.EXE version 4.05 and in SPA-IMAP4S.EXE version 4.05. Prior versions may also be affected.

The vulnerabilities affect the following products.
* E-Post Mail Server Enterprise 4.10
* E-Post Mail Server 4.10
* E-Post SMTP Server Enterprise 4.10
* E-Post SMTP Server 4.10
* SPA-PRO Mail @Solomon Enterprise 4.00
* SPA-PRO Mail @Soloman 4.00
* SPA-PRO SMTP @Soloman 4.00

Solution
Apply patches.
Further details available in Customer Area

Provided and/or discovered by
Tan Chew Keong, Secunia Research.

Changelog
Further details available in Customer Area

Original Advisory
Secunia Research:
http://secunia.com/secunia_research/2006-1/

Deep Links
Links available in Customer Area