Title: E-Post MailServer Multiple Remote Vulnerabilities
Severity: HIGH
Description:
E-Post MailServer is an email server for Microsoft Windows. It supports SMTP, POP3, and IMAP.
E-Post MailServer is prone to a multiple remote vulnerabilities. These issues can allow remote attackers to execute arbitrary code, create arbitrary directories on the server, disclose information, and carry out denial-of-service attacks.
The following specific vulnerabilities were identified:
The SMTP service is affected by a remote buffer-overflow vulnerability that arises because the application fails to perform boundary checks before copying user-supplied data into sensitive process buffers. This issue can allow attackers to corrupt process memory by supplying excessive data through the 'AUTH PLAIN' and 'AUTH LOGIN' commands. Specifically, a large string provided as a username is sufficient to trigger this issue. A successful attack can facilitate arbitrary code execution in the context of the server. This may lead to remote unauthorized access. This vulnerability affects 'EPSTRS.EXE' versions 4.18 and 4.19 and 'SPA-RS.EXE' version 4.12.
The POP3 service is also affected by a remote buffer-overflow vulnerability that arises because the application fails to perform boundary checks before copying user-supplied data into sensitive process buffers. This issue can allow attackers to corrupt process memory by supplying excessive data through the 'APOP' command. Specifically, a large string provided as a username is sufficient to trigger this issue. A successful attack can facilitate arbitrary code-execution in the context of the server. This may lead to remote unauthorized access. This vulnerability affects 'EPSTPOP4S.EXE' version 4.03 and 'SPA-POP3S.EXE' version 4.03.
The IMAP service is also affected by a remote buffer-overflow vulnerability that arises because the application fails to perform boundary checks before copying user-supplied data into sensitive process buffers. This issue can allow attackers to corrupt process memory by supplying excessive data through the 'DELETE' command. Specifically, a large string provided as a mailbox name is sufficient to trigger this issue. Although reports indicate that exploitation of this issue results in a denial-of-service condition, arbitrary code-execution may be possible as well. Note that code-execution is not confirmed at the moment. This issue affects 'EPSTIMAP4S.EXE' version 4.05 and 'SPA-IMAP4S.EXE' version 4.05.
The application is affected by a directory-traversal vulnerability that arises due to insufficient sanitization of user-supplied data. This issue affects the IMAP service and allows attackers to obtain directory listings and to crash the service by supplying specially crafted parameters to the 'LIST' command. An attacker may use directory-traversal sequences such as '../' followed by a folder name to trigger this issue. Certain folder names may crash the service. This issue affects 'EPSTIMAP4S.EXE' version 4.05 and 'SPA-IMAP4S.EXE' version 4.05.
The 'APPEND', 'COPY', and 'RENAME' commands of the IMAP service can be used to upload '.MSG' files to arbitrary directories on the server. This issue also results from insufficient sanitization of user-supplied data. An attacker may use directory-traversal sequences such as '../' to upload the files. This can affect the integrity of data on the server. This issue affects 'EPSTIMAP4S.EXE' version 4.05 and 'SPA-IMAP4S.EXE' version 4.05.
The 'APPEND' command can be used to trigger a crash in the IMAP service as well. This issue exists because the application doesn't handle exceptional conditions in a proper manner. An attacker can issue an 'APPEND' command and terminate the connection before sending the expected data. A successful attack can deny service to legitimate users.
Affected Products:
- E-POST Inc. Mail Server 4.10
- E-POST Inc. Mail Server Enterprise 4.10
- E-POST Inc. SMTP Server 4.10
- E-POST Inc. SMTP Server Enterprise 4.10
- E-POST Inc. SPA-PRO Mail @Soloman 4.0
- E-POST Inc. SPA-PRO Mail @Solomon Enterprise 4.0
- E-POST Inc. SPA-PRO SMTP @Soloman 4.0
References:
- E-POST: Home Page
- Secunia: E-Post Mail Server Products Multiple Vulnerabilities
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
