Look at text under LDAP vulnerabilities, could this be what is happening to
you?
Mike Prince
Micro-Prince Computers
www.micro-prince.com
Multiple IMail Vulnerabilites
Release Date:
March 1, 1999
Systems Affected:
IMail 5.0
Description:
The following holes can be used as a Denial of Service against the various
services mentioned and in some cases used to remotely execute code.
Imapd (143)
The imapd login process does not do proper bounds checking on usernames and
passwords.
* OK IMAP4 Server (IMail 4.06)
X LOGIN glob1 glob2
Where glob1 is 1200 characters and glob2 is 1300 characters. The imapd
service will crash with the usuall overflow error.
LDAP (389)
Telnet to server.com 389
Send: Y glob1
hit enter twice
Server Returns: 0
Send: Y glob2
hit enter
Where glob1 and glob2 are 2375 characters and Y is Y. The ldap service goes
to 90 percent or so and idles there. Therefore using up most system
resources.
IMonitor (8181)
Telnet to server.com 8181
Send: glob1
hit enter twice
Where glob1 is 2045 characters. The IMonitor service crashes with the normal
overflow message.
IMail Web Service (8383)
Telnet to server.com 8383
Send: GET /glob1/
Where glob1 is 3000 characters. The usual overflow message will be
displayed. This one looks to be easily exploitable. >:-]
Whois32 Daemon (43)
Telnet to server.com 43
Send glob1
Where glob1 is 1000 characters. The usual overflow message will be
displayed. Ya... starting to sound old.
Vendor Status:
Vendor has been notified, Waiting for response...
Copyright (c) 1998-1999 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for
permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
mail:[EMAIL PROTECTED]
http://www.eEye.com
----- Original Message -----
From: "Gaudin Marius (Softec)" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, June 13, 2000 4:23 AM
Subject: RE: [IMail Forum] 100% Utilization on IWEBMSG.EXE - Any Ideas?
> I had the same problem with 5.04. With the Update to 5.09, it disappeared.
>
> Marius
>
> -----Original Message-----
> From: Mike Prince [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 13, 2000 3:34 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [IMail Forum] 100% Utilization on IWEBMSG.EXE - Any Ideas?
>
>
> I am new at this so please excuse me if I ask a dumb question.
>
> Mark what version of imail are you running.
>
> ----- Original Message -----
> From: "Mark McDonald" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Saturday, June 10, 2000 11:27 PM
> Subject: [IMail Forum] 100% Utilization on IWEBMSG.EXE - Any Ideas?
>
>
> > We have recently started experiencing 100% utilization on our IMail
> server.
> > There is no additional software loaded on this machine other that IMail.
> We
> > have checked the IMonitor and it is not set to monitor and/or restart
the
> > Web Messaging service. The ONLY change we've made to IMail in the last
30
> > days was from "Relay for anyone" to "Relay for Local Hosts Only". It
will
> > again shoot up to 100% utilization within 2-3 hours of being rebooted.
> >
> > -Mark McDonald
> > [EMAIL PROTECTED]
> >
> > The Siteserver Network!
> > Voice: 800.610.9856, Ext. 231 - Fax: 888.333.2710
> > Please visit http://www.ipswitch.com/support/mailing-lists.html
> > to be removed from this list.
> >
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
