Vulnerabilities > CVE-2001-0039 - Unspecified vulnerability in Ipswitch Imail 6.0.5

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
ipswitch
nessus

Summary

IPSwitch IMail 6.0.5 allows remote attackers to cause a denial of service using the SMTP AUTH command by sending a base64-encoded user password whose length is between 80 and 136 bytes.

Vulnerable Configurations

Part Description Count
Application
Ipswitch
1

Nessus

NASL familySMTP problems
NASL idDDI_IPSWITCH-IMAIL-SMTP-BUFFER-OVERFLOW.NASL
descriptionA vulnerability exists within IMail that allows remote attackers to gain SYSTEM level access to servers running IMail
last seen2020-06-01
modified2020-06-02
plugin id10994
published2002-06-05
reporterThis script is Copyright (C) 2002-2016 Digital Defense, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10994
titleIPSwitch IMail SMTP Multiple Vulnerabilities (OF, DoS)
code
#
# This script is Copyright (C) Digital Defense Inc.
# Author: Forrest Rae <[email protected]>
#
# Script audit and contributions from Carmichael Security
#      Erik Anderson <[email protected]> (nb: domain no longer exists)
#      Added BugtraqID
#
# See the Nessus Scripts License for details
#

# Changes by Tenable:
# - Revised description, added CVSS, updated severity (4/10/2009)


include("compat.inc");

if(description)
{
	script_id(10994);
	script_version ("1.23");

	script_cve_id("CVE-2001-0039","CVE-2001-0494");
	script_bugtraq_id(2083, 2651);
 
 	script_name(english:"IPSwitch IMail SMTP Multiple Vulnerabilities (OF, DoS)");
	script_summary(english:"IPSwitch IMail SMTP Buffer Overflow");
 
	script_set_attribute(attribute:"synopsis", value:
"It may be possible to execute arbitrary commands on the remote
system.");
	script_set_attribute(attribute:"description", value:
"A vulnerability exists within IMail that allows remote attackers to
gain SYSTEM level access to servers running IMail's SMTP daemon
(versions 6.06 and below).  The vulnerability stems from the IMail
SMTP daemon not doing proper bounds checking on various input data
that gets passed to the IMail Mailing List handler code.  If an
attacker crafts a special buffer and sends it to a remote IMail SMTP
server, it is possible that an attacker can remotely execute code
(commands) on the IMail system." );
	# https://web.archive.org/web/20011109230429/http://archives.neohapsis.com/archives/bugtraq/2001-04/0433.html
	script_set_attribute(attribute:"see_also",value:
"http://www.nessus.org/u?ff8d9b9d" );
	script_set_attribute(attribute:"solution", value:
"Apply vendor-supplied patches." );
	script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
	script_set_attribute(attribute:"plugin_publication_date", value:
"2002/06/05");
 script_set_attribute(attribute:"vuln_publication_date", value: "2000/12/07");
 script_cvs_date("Date: 2018/06/27 18:42:26");
	script_set_attribute(attribute:"plugin_type", value:"remote");
	script_end_attributes();

	script_category(ACT_GATHER_INFO);
	script_copyright(english:"This script is Copyright (C) 2002-2016 Digital Defense, Inc.");
	script_family(english:"SMTP problems");
	script_dependencie("find_service1.nasl");
	script_require_ports(25);
	exit(0);
}

debug = 0;
ddidata = string("Not Applicable");
port = 25;

if(get_port_state(port))
{
	if(debug == 1) { display("Port ", port, " is open.\n"); }
		

	soc = open_sock_tcp(port);
	if(soc)
	{
		if(debug == 1)
		{
			display("Socket is open.\n");
		}
		
		banner = recv_line(socket:soc, length:4096);
		
		if(debug == 1)
		{
			display("\n---------Results from request ---------\n");
			display(banner);
			display("\n---------End of Results from request ---------\n\n");
		}
		     
		if(
		   egrep(pattern:"IMail 6\.0[1-6] ", string:banner) 	|| 
		   egrep(pattern:"IMail 6\.0 ", string:banner) 		||
		   egrep(pattern:"IMail [1-5]\.", string:banner)
		  )
		{
			if(debug == 1)
			{
				display("SMTP Server is IMail\n");
			}
		
			security_hole(port); 
			exit(0);
		}

		close(soc);
	}
	else
	{
		if(debug == 1) { display("Error: Socket didn't open.\n"); }
	}
}