Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11179
HistoryJan 25, 2006 - 12:00 a.m.

[SA18480] E-Post Mail Server Products Multiple Vulnerabilities

2006-01-2500:00:00
vulners.com
16
JSON

TITLE:
E-Post Mail Server Products Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA18480

VERIFY ADVISORY:
http://secunia.com/advisories/18480/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Exposure of system information, DoS, System access

WHERE:
>From remote

SOFTWARE:
E-Post Mail Server 4.x
http://secunia.com/product/6947/
E-Post Mail Server Enterprise 4.x
http://secunia.com/product/6950/
E-Post SMTP Server 4.x
http://secunia.com/product/6948/
E-Post SMTP Server Enterprise 4.x
http://secunia.com/product/6951/
SPA-PRO Mail @Solomon 4.x
http://secunia.com/product/5200/
SPA-PRO Mail @Solomon Enterprise 4.x
http://secunia.com/product/6952/
SPA-PRO SMTP @Solomon 4.x
http://secunia.com/product/6949/

DESCRIPTION:
Secunia Research has discovered some vulnerabilities in various
E-Post Mail Server products, which can be exploited by malicious
users to bypass certain security restrictions, gain knowledge of
certain system information, and cause a DoS (Denial of Service), or
by malicious people to compromise a vulnerable system.

1) A boundary error exists in the SMTP service in the handling of the
username supplied to the AUTH PLAIN and AUTH LOGIN commands. This can
be exploited to cause a stack-based buffer overflow and allows
arbitrary code execution via an overly long username.

The vulnerability has been confirmed in EPSTRS.EXE version 4.18 and
4.19, and in SPA-RS.EXE version 4.12. Other versions may also be
affected.

2) A boundary error exists in the POP3 service in the handling of the
username supplied to the APOP command. This can be exploited to cause
a stack-based buffer overflow and allows arbitrary code execution via
an overly long username.

The vulnerability has been confirmed in EPSTPOP4S.EXE version 4.03,
and in SPA-POP3S.EXE version 4.03. Other versions may also be
affected.

3) A boundary error exists in the IMAP service in the handling of the
mailbox name passed to the DELETE command. This can be exploited to
crash the server via an overly long mailbox name.

4) An input validation error exists in the IMAP service in the
handling of the arguments passed to the LIST command. This can be
exploited to obtain directory listings of arbitrary folders on the
server with privileges of the IMAP service via directory traversal
attacks. It is possible to cause the service to crash by listing
certain directories.

5) Input validation errors exist in the IMAP service in the handling
of the APPEND, COPY, and RENAME commands. This can be exploited by
malicious users to create ".MSG" files and arbitrary directories
outside of the mail directory with privileges of the IMAP process via
directory traversal attacks.

6) An infinite loop error exists in IMAP service in the handling of
the APPEND command. This can be exploited by sending an APPEND
command to the service and terminating the connection without sending
the expected amount of data.

Successful exploitation causes the IMAP server to consume a large
amount of CPU resources, potentially causing a DoS.

Vulnerabilities #3, #4, #5, and #6 have been confirmed in
EPSTIMAP4S.EXE version 4.05 and in SPA-IMAP4S.EXE version 4.05. Prior
versions may also be affected.

The vulnerabilities affect the following products.

  • E-Post Mail Server Enterprise 4.10
  • E-Post Mail Server 4.10
  • E-Post SMTP Server Enterprise 4.10
  • E-Post SMTP Server 4.10
  • SPA-PRO Mail @Solomon Enterprise 4.00
  • SPA-PRO Mail @Soloman 4.00
  • SPA-PRO SMTP @Soloman 4.00

SOLUTION:
Apply patches.

E-Post Mail Server Enterprise 4.10:
http://www.e-postinc.jp/bin/[email protected]

E-Post Mail Server 4.10:
http://www.e-postinc.jp/bin/[email protected]

E-Post SMTP Server Enterprise 4.10:
http://www.e-postinc.jp/bin/[email protected]

E-Post SMTP Server 4.10:
http://www.e-postinc.jp/bin/[email protected]

SPA-PRO Mail @Solomon Enterprise 4.00:
http://www.e-postinc.jp/bin/[email protected]

SPA-PRO Mail @Soloman 4.00:
http://www.e-postinc.jp/bin/[email protected]

SPA-PRO SMTP @Soloman 4.00:
http://www.e-postinc.jp/bin/[email protected]

Note: The vulnerabilities have been fixed in following components.

  • EPSTRS.EXE version 4.21
  • EPSTPOP3S.EXE version 4.06
  • EPSTIMAP4S.EXE version 4.07
  • SPA-RS.EXE version 4.13
  • SPA-POP3S.EXE version 4.04
  • SPA-IMAP4S.EXE 4.06

PROVIDED AND/OR DISCOVERED BY:
Tan Chew Keong, Secunia Research.

ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2006-1/

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

JSON