14th Apr 2003 [SBWID-6142]
COMMAND
	MailMax Buffer Overflow (potential DoS)
SYSTEMS AFFECTED
	IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.6 and 5.0.10.7)
PROBLEM
	Dennis Rand [http://www.Infowarfare.dk] found following:
	MailMax is a scalable e-mail server that supports SMTP, IMAP4  and  POP3
	protocols.  Its  TCP/IP  GUI  allows  server  administration  from   any
	Internet connected server. The Web Admin module  allows  you  to  define
	domain administrators so they can maintain their own accounts.  It  also
	provides anti-spamming options.
	The problem is a Buffer Overflow  in  the  IMAP4  protocol,  within  the
	IMAP4rev1 SmartMax IMAPMax 5, causing the service to stop responding.
	The Vulnerability  is  a  Buffer  Overflow  in  the  IMAP4rev1  SmartMax
	IMAPMax 5. When a malicious attacker  sends  a  large  amount  into  the
	password field, in The login procedure.
	The following transcript  demonstrates  a  sample  exploitation  of  the
	Vulnerabilities:
	
	----------------------------- [Transcript] -----------------------------
	nc 127.0.0.1 143
	* OK IMAP4rev1 SmartMax IMAPMax 5 Ready
	0000 CAPABILITY
	* CAPABILITY IMAP4rev1
	0000 OK CAPABILITY completed
	0001 LOGIN "[email protected]" "A..[50] ..A"
	0001 NO Invalid user name or password.
	0001 NO Invalid user name or password.
	----------------------------- [/Transcript] -----------------------------
	
	When this attack is used there will pop-up a message box on the  server,
	with    the    text    "Buffer    overrun    detected!    -     Program:
	<PATH>\IMAPMax.exe" at this time the service shuts down, and  has  to
	be restarted manually, from the service manager.
	 DETECTION
	 =========
	IMAP4rev1 SmartMax  IMAPMax  5  is  vulnerable  to  the  above-described
	attacks. Earlier versions may be susceptible as well. To determine if  a
	specific implementation  is  vulnerable,  experiment  by  following  the
	above transcript.
SOLUTION
	 WORK AROUNDS
	 ============
	With this vulnerable version of IMAP, the only workaround is to  disable
	the IMAP4rev1 SmartMax IMAPMax 5 service, there  are  no  workaround  in
	the configuration.
	SmartMax has released a patched version of IMAPMax.exe version  5.0.10.8
	which corrects the problem. It can be downloaded at
	
	ftp://ftp.smartmax.com/updates/MailMax 5.0/Files/
	
	Remember to ensure that the file version is 5.0.10.8 or higher.
	Update your MailMax Version 5 to the released version 5.5
	 VENDOR RESPONSE
	 ===============
	Thank you for the buffer overrun security notification  in  our  ImapMax
	module for MailMax 5. I'm enclosing an updated IMAPMAX which  fixes  the
	buffer overflow vulnerability? We'll be posting this in our MailMax  5.5
	update next week.
	 Regards,
	 Eric Weber