FYI, This was posted to BugTraq yesterday. ----- Original Message ----- From: "SAKAI Yoriyuki" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 06, 2000 8:41 PM Subject: DoS by SMTP AUTH command in IPSwitch IMail server > Dear folks, > > I found a kind of DoS to handle SMTP AUTH command in IPSwitch IMail > server version 6.0.5. > IPSwitch ships a product titled IMail, an email server for usage on NT > servers serving SMTP, POP3, IMAP4, LDAP etc. > It supports SMTP AUTH commands (RFC2554) and several authenticate methods > to relay/accept e-mail. > > Problem Description > ------------------- > I put passwords over 80 bytes and less than 136 bytes in BASE64 format, > the smtp server of IMail stop to response. No new SMTP sessions are > able to created from local and remote. In this case, the length of > password made a problem, no value matters. > > Example of Issue: > HELO myhost > 250 hello target > AUTH LOGIN > 334 VXNlcm5hbWU6 (Put BASE64ed user name) > 334 UGFzc3dvcmQ6 > (Put BASE64ed user password over 80 bytes and less than 136 bytes; > the length of password is proximal.) > (The connection is disconnected.) > > When I put over about 136 bytes for password, the server responds > the status of "552"(command exceeds maximum length) and continue > to work. > If the length of password is less than 80 bytes, it works normally. > > Remotely Exploitable > -------------------- > Yes > > Locally Exploitable > -------------------- > Yes > > Tested Version of IMail > ----------------------- > 6 Gold (Japanese; No minor version is available) > 6.0.5 (English) > > Tested on > --------- > Windows NT 4.0 Server SP6a (Japanese/English) > Windows 2000 Server (No SPs) (Japanese/English) > Windows 2000 Server SP1 (Japanese/English) > > Status of fixes > --------------- > I had reported this issue at 2000/Nov/15 and discussed this > issue. IPSwitch has not release a patch yet. > I hope a fix program will be released as soon as possible. > > Status of fixes (Japanese Version) > --------------------------------- > I also reported this issue to Japanese distributor of IMail > at 2000/Nov/15, but when I reported I used the evaluation version of > IMail, they closed all responses. Their artitude is contrastive to > IPSwitch's. I'd only wanted to exam what kind of bugs are still > in the current version of IMail and wanted to make a short report > to our customer. > I wonder whether they really mean the evaluation copy is for > the sake of evaluation and all vulnerability must be reported by > the current customer. > > -- > SAKAI Yoriyuki / SNS (SecureNetService)Team / LAC Co., Ltd. > [EMAIL PROTECTED] > http://www.lac.co.jp/security/ > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
