Sign-up

ID

VAR-200709-0023


CVE

CVE-2007-5094


TITLE

Ipswitch IMail SMTP Server IASPAM.DLL Remote Buffer Overflow Vulnerability

Trust: 0.9

sources: BID: 25762 // CNNVD: CNNVD-200709-391

DESCRIPTION

Heap-based buffer overflow in iaspam.dll in the SMTP Server in Ipswitch IMail Server 8.01 through 8.11 allows remote attackers to execute arbitrary code via a set of four different e-mail messages with a long boundary parameter in a certain malformed Content-Type header line, the string "MIME" by itself on a line in the header, and a long Content-Transfer-Encoding header line. Ipswitch IMail Server is prone to a buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. Attackers may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Versions between Ipswitch IMail Server 8.01 and 8.11 are vulnerable to this issue; other versions may also be affected. NOTE: This issue may be related to previously disclosed vulnerabilities in IMail, but due to a lack of information we cannot confirm this. We will update this BID as more information emerges. IPSwitch IMail is a Windows-based mail service program. There is a buffer overflow vulnerability in IPSwitch IMail's iaspam.dll, which may be exploited by remote attackers to control the server. Relevant details: loc_1001ada5 ==> Pay attention to the difference in loading base address during dynamic debugging. mov eax, [ebp+var_54] mov ecx, [eax+10c8h] push ecx ; char * mov edx, [ebp+var_54] mov eax, [edx+10d0h] push eax ; char * call _strcpy add esp, 8 jmp loc_1001a6f0 Here, the two buffers of strcpy, the pointers of src and dst are read directly from the heap without any check before, so send a malicious email to the server (SMD file), and then control the two buffers at the subsequent offset address, you can copy any string to any memory

Trust: 1.98

sources: NVD: CVE-2007-5094 // JVNDB: JVNDB-2007-004441 // BID: 25762 // VULHUB: VHN-28456

AFFECTED PRODUCTS

vendor:ipswitchmodel:imailscope:eqversion:8.1

Trust: 1.9

vendor:ipswitchmodel:imailscope:eqversion:8.0.5

Trust: 1.9

vendor:ipswitchmodel:imailscope:eqversion:8.0.3

Trust: 1.9

vendor:ipswitchmodel:imailscope:eqversion:8.11

Trust: 1.9

vendor:ipswitchmodel:imailscope:eqversion:8.01

Trust: 1.9

vendor:ipswitchmodel:imailscope:eqversion:8.01 to 8.11

Trust: 0.8

sources: BID: 25762 // JVNDB: JVNDB-2007-004441 // CNNVD: CNNVD-200709-391 // NVD: CVE-2007-5094

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-5094
value: HIGH

Trust: 1.0

NVD: CVE-2007-5094
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200709-391
value: HIGH

Trust: 0.6

VULHUB: VHN-28456
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2007-5094
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-28456
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-28456 // JVNDB: JVNDB-2007-004441 // CNNVD: CNNVD-200709-391 // NVD: CVE-2007-5094

PROBLEMTYPE DATA

problemtype:CWE-119

Trust: 1.9

sources: VULHUB: VHN-28456 // JVNDB: JVNDB-2007-004441 // NVD: CVE-2007-5094

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200709-391

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200709-391

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-004441

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-28456

PATCH
title:IMail Serverurl:http://www.imailserver.com/
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-004441

EXTERNAL IDS
db:NVDid:CVE-2007-5094
Trust: 2.8
db:BIDid:25762
Trust: 2.0
db:EXPLOIT-DBid:4438
Trust: 1.7
db:OSVDBid:39390
Trust: 1.7
db:JVNDBid:JVNDB-2007-004441
Trust: 0.8
db:MILW0RMid:4438
Trust: 0.6
db:XFid:36723
Trust: 0.6
db:CNNVDid:CNNVD-200709-391
Trust: 0.6
db:VULHUBid:VHN-28456
Trust: 0.1
sources:
            
            
            VULHUB: VHN-28456 // 
            
            
            
            BID: 25762 // 
            
            
            
            JVNDB: JVNDB-2007-004441 // 
            
            
            
            CNNVD: CNNVD-200709-391 // 
            
            
            
            NVD: CVE-2007-5094

REFERENCES
url:http://www.securityfocus.com/bid/25762
Trust: 1.7
url:http://pstgroup.blogspot.com/2007/09/exploitimail-iaspamdll-80x-remote-heap.html
Trust: 1.7
url:http://osvdb.org/39390
Trust: 1.7
url:https://www.exploit-db.com/exploits/4438
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/36723
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5094
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-5094
Trust: 0.8
url:http://www.milw0rm.com/exploits/4438
Trust: 0.6
url:http://xforce.iss.net/xforce/xfdb/36723
Trust: 0.6
url:http://www.ipswitch.com/products/imail_server/index.html
Trust: 0.3
sources:
            
            
            VULHUB: VHN-28456 // 
            
            
            
            BID: 25762 // 
            
            
            
            JVNDB: JVNDB-2007-004441 // 
            
            
            
            CNNVD: CNNVD-200709-391 // 
            
            
            
            NVD: CVE-2007-5094

CREDITS
axis axis@ph4nt0m)
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200709-391

SOURCES
db:VULHUBid:VHN-28456
db:BIDid:25762
db:JVNDBid:JVNDB-2007-004441
db:CNNVDid:CNNVD-200709-391
db:NVDid:CVE-2007-5094

LAST UPDATE DATE
2025-04-10T23:07:25.365000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-28456date:2017-09-29T00:00:00
db:BIDid:25762date:2015-05-07T17:35:00
db:JVNDBid:JVNDB-2007-004441date:2012-09-25T00:00:00
db:CNNVDid:CNNVD-200709-391date:2007-11-01T00:00:00
db:NVDid:CVE-2007-5094date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-28456date:2007-09-26T00:00:00
db:BIDid:25762date:2007-09-21T00:00:00
db:JVNDBid:JVNDB-2007-004441date:2012-09-25T00:00:00
db:CNNVDid:CNNVD-200709-391date:2007-09-26T00:00:00
db:NVDid:CVE-2007-5094date:2007-09-26T22:17:00