Buffer Overflow Vulnerability Found in MailMax Version 5

["Dennis Rand" <der () infowarfare dk>]

                       Buffer Overflow Vulnerability
                         Found in MailMax Version 5
                           http://www.smartmax.com
                         
                          Discovered by Dennis Rand
                             www.Infowarfare.dk
------------------------------------------------------------------------


-----[SUMMARY
This is a scalable e-mail server that supports SMTP, IMAP4 and POP3
protocols. 
Its TCP/IP GUI allows server administration from any Internet connected
server. 
The Web Admin module allows you to define domain administrators so they can 
Maintain their own accounts. It also provides anti-spamming options. 

The problem is a Buffer Overflow in the IMAP4 protocol, within the 
IMAP4rev1 SmartMax IMAPMax 5, causing the service to stop responding.


-----[AFFECTED SYSTEMS
Vulnerable systems:
 * IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.6 and 5.0.10.7)

Immune systems:
 * IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.8)
 * IMAP4rev1 SmartMax IMAPMax 5.5


-----[SEVERITY
Medium - An attacker is able to cause a DoS attack on the IMAP protocol
         But it has no effect on the rest of the system.
         

-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the IMAP4rev1 SmartMax IMAPMax 5
When a malicious attacker sends a large amount into the password field, in
The login procedure. 


The following transcript demonstrates a sample exploitation of the 
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc 127.0.0.1 143
* OK IMAP4rev1 SmartMax IMAPMax 5 Ready
0000 CAPABILITY
* CAPABILITY IMAP4rev1
0000 OK CAPABILITY completed
0001 LOGIN "mail () mail com" "A..[50] ..A"
0001 NO Invalid user name or password.
0001 NO Invalid user name or password.

----------------------------- [Transcript] -----------------------------

When this attack is used there will pop-up a message box on the server, with
the text
"Buffer overrun detected! - Program: <PATH>\IMAPMax.exe" at this time the
service 
shuts down, and has to be restarted manually, from the service manager.


-----[DETECTION
IMAP4rev1 SmartMax IMAPMax 5 is vulnerable to the above-described attacks. 
Earlier versions may be susceptible as well. To determine if a specific 
implementation is vulnerable, experiment by following the above transcript. 


-----[WORK AROUNDS
*   With this vulnerable version of IMAP, the only workaround is to disable
the 
    IMAP4rev1 SmartMax IMAPMax 5 service, there are no workaround in the
configuration.

*    SmartMax has released a patched version of IMAPMax.exe version 5.0.10.8
which corrects 
     the problem. It can be downloaded at
ftp://ftp.smartmax.com/updates/MailMax 5.0/Files/
     Remember to ensure that the file version is 5.0.10.8 or higher.

*    Update your MailMax Version 5 to the released version 5.5



-----[VENDOR RESPONSE
Thank you for the buffer overrun security notification in our 
ImapMax module for MailMax 5.  I'm enclosing an updated IMAPMAX 
which fixes the buffer overflow vulnerability?  We'll be posting 
this in our MailMax 5.5 update next week. 
Regards,
Eric Weber


-----[DISCLOSURE TIMELINE
25/03/2003 Found the Vulnerability, and made an analysis.
27/03/2003 Reported to Vendor (sales () smartmax com, features () smartmax com,
support () smartmax com).
27/03/2003 Vendor reply, they now know of the vulnerabilities.
27/03/2003 Vendor send a patch (Version 5.0.10.7) of the IMAPMax.exe still
contains the vulnerability.
27/03/2003 Received version 5.0.10.8 from Vendor.
27/03/2003 Tested version 5.0.10.8 from vendor, and this version is not
vulnerable.
27/03/2003 Fix made public.
11/04/2003 Public Disclosure.


-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der () infowarfare dk> Dennis
Rand

-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of any
kind. 
In no event shall we be liable for any damages whatsoever including direct,
indirect, 
incidental, consequential, loss of business profits or special damages.