New and old versions of Imail Server have an exploit (mentioned below) that they (Ipswitch) are not going to fix on older versions, that I think ASSP will help to prevent.
> <snip> what the public available exploit can do <snip> > > http://www.securiteam.com/exploits/6G00L0KH5E.html > > Payload Options (for your server!!!) > 1 = Share C:\\ as 'Export' Share > 2 = Add User 'Error' with Password 'Error' > 3 = Win32 Bind CMD to Port 4444 > 4 = Change Administrator Password to '[EMAIL PROTECTED]' >> Not quite knowing how SMTP vulnerabilities are exploited, I >> am assuming that this can not be executed by simply sending an email ... > > In fact it's as nearly as simple as writing an email message! Durring the > SMTP-Envelope session the attacker has to specify a mail-from and rcpt-to > address and the only thing that must be done is to include in this address > the code that should be executed on the server. *** If the attacker was able to get through ASSP's delaying and other connection tests, would Imail still be vulnerable? > It's not a simple "format c:" that you can attach to the email-address but > the sample exploit does exactly show how to do <snip> > > Having third-party gateway solutions (Alligate, ORF, ...) in front > of your server would help but only if your Imail-SMTP-Service is > completely unreachable from at least the internet. *** I have an AV gateway after ASSP so my Imail is not reachable directly from the internet, but for those that do not would ASSP block this kind of exploit? Does the fact that ASSP is a proxy and not a gateway mean that the Imail smtp service is directly accessible from the internet, sort of? Thanks, Doug traylor ----- Original Message ----- From: "Markus" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Wednesday, October 25, 2006 8:32 AM Subject: RE: [IMail Forum] SMTP Exploit > Well at least having the server behind a firewall would prevent from > problems with 1 and 3. Maybe it would also be usefull to create a dummy > user "error" with another password in order to prevent a successfull > adduser-call. > For the same reason it would also be usefull to rename the "administrator" > name in order to prevent a successfull changepass-call. > > But all this would not realy help as many people around the world are > capable to write other payloads who can do everything on your server and > maybe has already done without your knowledge! > > The question from the view of a 8.x-Admin is: would it be a good idea to > bring Ipswitch's non-reaction widely publicable (newspapers, newsletters, > ..) or maybe bether not, in order to let the own server survive at least > some days or weeks longer. > ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Assp-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-user
