Denial of Service attack against IPswitch IMail server (short AUTH)
9 Dec. 2000
Summary
IPswitch ships with an application called IMail, an email server for Windows NT servers serving SMTP, POP3, IMAP4, LDAP, etc. It supports the SMTP AUTH command (as required by RFC2554) and several authenticate methods to relay/accept e-mail. A security problem allows remote attackers to cause a Denial of Service attack against the product.
Credit:
The information has been provided by SAKAI Yoriyuki.
Vulnerable systems:
IPswitch IMail server version 6.0.5
By providing IMail with a password of over 80 bytes and less than 136 bytes in BASE64 format, it is possible to cause the SMTP server of IMail stop to responding. In this case, the length of password is the problem, not the actual value.
Example of issue:
HELO myhost
250 hello target
AUTH LOGIN
334 VXNlcm5hbWU6 (Put BASE64ed user name)
334 UGFzc3dvcmQ6 Enter a BASE64 encoded user password of over 80 bytes and less than 136 bytes
(The connection is disconnected.)
If you provide it with over 136 bytes for password, the server will respond with status "552" (command exceeds maximum length) and will continue operating normally.
