Subject: [w00giving '99 #18] Ipswitch's IMonitor server (IMail package)
Release Date: January 05, 2000

Systems Affected:
IMail IMONITOR v5.08 (port 8181) server for WinNT and possibly other
versions.

NOTE: IMail v6.0 isn't public; thus, it hasn't been tested.

About The Software:
Good for school, bussiness, and server providers. Unlike Microsoft
Exchange and Lotus Notes, which are costly to deploy and cumbersome to
administer, IMail is easy to install and manage.

THE PROBLEM

UssrLabs has found a vulnerability in status.cgi caused by making
several sequential calls to status.cgi.  This script checks to
see what services are running and can cause an "invalid
memory address error" in Dr. Watson when several requests are sent.

Example:
Open In Internet Explorer: http://ServerIp:8181/status.cgi and you
will see something like this:

|-----------------------|
|Service    | Status    |
|SMTP       | UP        |
|POP3       | UP        |
|DNS        | UP        |
|WEB        | UP        |
|TELNET     | UP        |
|FTP        | UP        |
|03:33:00   | 03:32:00  |
...

If you run status.cgi several times, the server will crash.
Binary or source to this exploit: http://www.ussrback.com.


Do you do the w00w00?
This advisory also acts as part of w00giving.  This is another
contribution to w00giving for all you w00nderful people out there.
You do know what w00giving is don't you?  http://www.w00w00.org/advisories.html

Vendor Status:
Contacted--tracking number for this inquiry is IMS2000010500000096

Program URL: http://www.ipswitch.com/Products/IMail_Server/index.asp

SOLUTION
Because Ipswitch doesn't release source, wait for them to provide
a patch.

Greetings:
eEye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN,
Technotronic, and Wiretrip

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com