Details of VAR-200901-0467

ID

VAR-200901-0467

CVE

CVE-2007-2795

TITLE

Ipswitch IMail Server Multiple Buffer Overflow Vulnerabilities

Trust: 0.9

sources: BID: 24962 // CNNVD: CNNVD-200901-363

DESCRIPTION

Multiple buffer overflows in Ipswitch IMail before 2006.21 allow remote attackers or authenticated users to execute arbitrary code via (1) the authentication feature in IMailsec.dll, which triggers heap corruption in the IMail Server, or (2) a long SUBSCRIBE IMAP command, which triggers a stack-based buffer overflow in the IMAP Daemon. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Ipswitch IMail and ICS server. Authentication is not required to exploit this vulnerability.The specific flaw resides in IMailsec.dll while attempting to authenticate users. The affected component is used by multiple services that listen on a default installation. The authentication mechanism copies user-supplied data into fixed length heap buffers using the lstrcpyA() function. The unbounded copy operation can cause a memory corruption resulting in an exploitable condition. Authentication is required to exploit this vulnerability.The specific flaw exists due to a lack of bounds checking during theparsing of arguments to the SUBSCRIBE IMAP command sent to the IMAP daemon listening by default on TCP port 143. By providing an overly long string as the argument, an exploitable stack-based buffer overflow occurs. Ipswitch IMail Server is prone to multiple buffer-overflow vulnerabilities because the software fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer. Successful attacks allow arbitrary code to run, facilitating the remote compromise of affected computers. Exploit attempts may also cause the application to crash. Ipswitch IMail Server 2006 is vulnerable to these issues; other versions may also be affected. Ipswitch IMail Server is an American Ipswitch company's mail server running on the Microsoft Windows operating system. IMail bundles an IMAP daemon (imapd32.exe) that allows users to access mail. ZDI-07-042: Ipswitch IMail Server GetIMailHostEntry Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-042.html July 24, 2007 -- CVE ID: CVE-2007-2795 -- Affected Vendor: Ipswitch -- Affected Products: Ipswitch IMail Ipswitch Collaboration Suite -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 24, 2007 by Digital Vaccine protection filter ID 5224. -- Vendor Response: Ipswitch has issued an update to correct this vulnerability. More details can be found at: http://www.ipswitch.com/support/imail/releases/im200621.asp -- Disclosure Timeline: 2007.02.26 - Vulnerability reported to vendor 2007.07.24 - Digital Vaccine released to TippingPoint customers 2007.07.24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Sebastian Apelt (webmaster@buzzworld.org). -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster@3com.com

Trust: 3.42

sources: NVD: CVE-2007-2795 // JVNDB: JVNDB-2009-001634 // ZDI: ZDI-07-042 // ZDI: ZDI-07-043 // BID: 24962 // VULHUB: VHN-26157 // PACKETSTORM: 58013 // PACKETSTORM: 58012

AFFECTED PRODUCTS

vendor:	ipswitch	model:	imail	scope:	eq	version:	2006.1	Trust: 1.6
vendor:	ipswitch	model:	imail	scope:	-	version:	-	Trust: 1.4
vendor:	ipswitch	model:	imail	scope:	lte	version:	2006.2	Trust: 1.0
vendor:	ipswitch	model:	imail	scope:	lte	version:	2006.21	Trust: 0.8
vendor:	ipswitch	model:	imail	scope:	eq	version:	2006.2	Trust: 0.6
vendor:	ipswitch	model:	imail server	scope:	eq	version:	2006	Trust: 0.3
vendor:	ipswitch	model:	imail server	scope:	ne	version:	2006.21	Trust: 0.3

sources: ZDI: ZDI-07-042 // ZDI: ZDI-07-043 // BID: 24962 // JVNDB: JVNDB-2009-001634 // CNNVD: CNNVD-200901-363 // NVD: CVE-2007-2795

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2007-2795
value:	HIGH
Trust: 1.0
NVD:	CVE-2007-2795
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200901-363
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-26157
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2007-2795
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-26157
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-26157 // JVNDB: JVNDB-2009-001634 // CNNVD: CNNVD-200901-363 // NVD: CVE-2007-2795

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-26157 // JVNDB: JVNDB-2009-001634 // NVD: CVE-2007-2795

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200901-363

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200901-363

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-001634

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-26157

PATCH

title:

im200621

url:

http://www.ipswitch.com/support/imail/releases/im200621.asp

Trust: 2.2

sources: ZDI: ZDI-07-042 // ZDI: ZDI-07-043 // JVNDB: JVNDB-2009-001634

EXTERNAL IDS

db:	NVD	id:	CVE-2007-2795	Trust: 4.4
db:	ZDI	id:	ZDI-07-042	Trust: 2.8
db:	ZDI	id:	ZDI-07-043	Trust: 2.8
db:	JVNDB	id:	JVNDB-2009-001634	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-166	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-179	Trust: 0.7
db:	CNNVD	id:	CNNVD-200901-363	Trust: 0.7
db:	BID	id:	24962	Trust: 0.3
db:	PACKETSTORM	id:	58013	Trust: 0.2
db:	PACKETSTORM	id:	58012	Trust: 0.2
db:	SEEBUG	id:	SSVID-66887	Trust: 0.1
db:	PACKETSTORM	id:	81264	Trust: 0.1
db:	EXPLOIT-DB	id:	9662	Trust: 0.1
db:	VULHUB	id:	VHN-26157	Trust: 0.1

sources: ZDI: ZDI-07-042 // ZDI: ZDI-07-043 // VULHUB: VHN-26157 // BID: 24962 // JVNDB: JVNDB-2009-001634 // PACKETSTORM: 58013 // PACKETSTORM: 58012 // CNNVD: CNNVD-200901-363 // NVD: CVE-2007-2795

REFERENCES

url:	http://www.ipswitch.com/support/imail/releases/im200621.asp	Trust: 3.3
url:	http://www.zerodayinitiative.com/advisories/zdi-07-042/	Trust: 1.7
url:	http://www.zerodayinitiative.com/advisories/zdi-07-043/	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-2795	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-2795	Trust: 0.8
url:	http://www.zerodayinitiative.com/advisories/zdi-07-042.html	Trust: 0.4
url:	http://www.zerodayinitiative.com/advisories/zdi-07-043.html	Trust: 0.4
url:	http://www.ipswitch.com/products/imail_server/index.html	Trust: 0.3
url:	http://docs.ipswitch.com/imail%202006.21/releasenotes/imail_relnotes.htm#newrelease	Trust: 0.3
url:	/archive/1/474040	Trust: 0.3
url:	/archive/1/474552	Trust: 0.3
url:	/archive/1/474553	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2007-2795	Trust: 0.2
url:	http://www.tippingpoint.com	Trust: 0.2
url:	http://www.zerodayinitiative.com	Trust: 0.2

CREDITS

Sebastian Apelt (webmaster@buzzworld.org)

Trust: 1.4

sources: ZDI: ZDI-07-042 // ZDI: ZDI-07-043

SOURCES

db:	ZDI	id:	ZDI-07-042
db:	ZDI	id:	ZDI-07-043
db:	VULHUB	id:	VHN-26157
db:	BID	id:	24962
db:	JVNDB	id:	JVNDB-2009-001634
db:	PACKETSTORM	id:	58013
db:	PACKETSTORM	id:	58012
db:	CNNVD	id:	CNNVD-200901-363
db:	NVD	id:	CVE-2007-2795

LAST UPDATE DATE

2025-04-10T22:57:36.360000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-07-042	date:	2007-07-19T00:00:00
db:	ZDI	id:	ZDI-07-043	date:	2007-07-19T00:00:00
db:	VULHUB	id:	VHN-26157	date:	2009-01-28T00:00:00
db:	BID	id:	24962	date:	2016-07-05T21:38:00
db:	JVNDB	id:	JVNDB-2009-001634	date:	2009-07-08T00:00:00
db:	CNNVD	id:	CNNVD-200901-363	date:	2009-01-28T00:00:00
db:	NVD	id:	CVE-2007-2795	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-07-042	date:	2007-07-19T00:00:00
db:	ZDI	id:	ZDI-07-043	date:	2007-07-19T00:00:00
db:	VULHUB	id:	VHN-26157	date:	2009-01-27T00:00:00
db:	BID	id:	24962	date:	2007-07-18T00:00:00
db:	JVNDB	id:	JVNDB-2009-001634	date:	2009-07-08T00:00:00
db:	PACKETSTORM	id:	58013	date:	2007-07-25T04:32:46
db:	PACKETSTORM	id:	58012	date:	2007-07-25T04:31:47
db:	CNNVD	id:	CNNVD-200901-363	date:	2007-07-18T00:00:00
db:	NVD	id:	CVE-2007-2795	date:	2009-01-27T23:30:00.187