[1][USEMAP:frame_r1_c1.gif] [frame_r1_c3.gif] [2]Japanese SNS Advisory [title2_r1_c1.gif] [3][GoIndex.gif] [4][GoBack.gif] 19 [5][GoNext.gif] [6]Japanese Edition SNS Advisory No.19 DoS by SMTP AUTH command in IPSwitch IMail server Problem first discovered: 15 Nov 2000 Published: 7 Dec 2000 Last Updated: 7 Dec2000 _________________________________________________________________ Overview: We found a kind of DoS to handle SMTP AUTH command in IPSwitch IMail server version 6.0.5. Problem Description: If long passwords are passed to the smtp server, it will stop responding. The size of characters are over 80 bytes and less than 136 bytes in BASE64 format, No new SMTP sessions are able to be created from local and remote. In this case, the length of password made a problem, no value matters. Example of Issue: HELO myhost 250 hello target AUTH LOGIN 334 VXNlcm5hbWU6 (Put BASE64ed user name) 334 UGFzc3dvcmQ6 (Put BASE64ed user password over 80 bytes and less than 136 bytes; the length of password is proximal.) (The connection is disconnected.) When the password over about 136 bytes is passed to the server, the server responds the status of "552"(command exceeds maximum length) and continue to work. If the length of password is less than 80 bytes, it works normally. [19_1.gif] Fig1:Application error Tested Version of IMail: 6 Gold (Japanese; No minor version is available) 6.0.5 (English) Tested on: Windows NT 4.0 Server SP6a (Japanese/English) Windows 2000 Server (No SPs) (Japanese/English) Windows 2000 Server SP1 (Japanese/English) Status of fixes: IPSwitch released a patch program to fix this problem. How to adapt patch(s) for IMail 6.x: [7]http://www.ipswitch.com/support/IMail/patch-upgrades.html SMTPd32, POP3d32 and IMAP4d32 Patch for IMail Server 6.05: [8]ftp://ftp.ipswitch.com/Ipswitch/Product_Support/Imail/IM605HF5.exe Vendor Information: IPSwitch Inc. [9]http://www.ipswitch.com/ Disclaimer: All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. _________________________________________________________________ Copyright(c) 1995-2002 Little eArth Corporation References 1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/19_e.html#r1_c1Map 2. http://www.lac.co.jp/security/index.html 3. http://www.lac.co.jp/security/english/snsadv_e/index.html 4. http://www.lac.co.jp/security/english/snsadv_e/18_e.html 5. http://www.lac.co.jp/security/english/snsadv_e/20_e.html 6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/19.html 7. http://www.ipswitch.com/support/IMail/patch-upgrades.html 8. ftp://ftp.ipswitch.com/Ipswitch/Product_Support/Imail/IM605HF5.exe 9. http://www.ipswitch.com/