VAR-200709-0023
Vulnerability from variot - Updated: 2025-04-10 23:07Heap-based buffer overflow in iaspam.dll in the SMTP Server in Ipswitch IMail Server 8.01 through 8.11 allows remote attackers to execute arbitrary code via a set of four different e-mail messages with a long boundary parameter in a certain malformed Content-Type header line, the string "MIME" by itself on a line in the header, and a long Content-Transfer-Encoding header line. Ipswitch IMail Server is prone to a buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. Attackers may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Versions between Ipswitch IMail Server 8.01 and 8.11 are vulnerable to this issue; other versions may also be affected. NOTE: This issue may be related to previously disclosed vulnerabilities in IMail, but due to a lack of information we cannot confirm this. We will update this BID as more information emerges. IPSwitch IMail is a Windows-based mail service program. There is a buffer overflow vulnerability in IPSwitch IMail's iaspam.dll, which may be exploited by remote attackers to control the server. Relevant details: loc_1001ada5 ==> Pay attention to the difference in loading base address during dynamic debugging. mov eax, [ebp+var_54] mov ecx, [eax+10c8h] push ecx ; char * mov edx, [ebp+var_54] mov eax, [edx+10d0h] push eax ; char * call _strcpy add esp, 8 jmp loc_1001a6f0 Here, the two buffers of strcpy, the pointers of src and dst are read directly from the heap without any check before, so send a malicious email to the server (SMD file), and then control the two buffers at the subsequent offset address, you can copy any string to any memory
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200709-0023",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "imail",
"scope": "eq",
"trust": 1.9,
"vendor": "ipswitch",
"version": "8.1"
},
{
"model": "imail",
"scope": "eq",
"trust": 1.9,
"vendor": "ipswitch",
"version": "8.0.5"
},
{
"model": "imail",
"scope": "eq",
"trust": 1.9,
"vendor": "ipswitch",
"version": "8.0.3"
},
{
"model": "imail",
"scope": "eq",
"trust": 1.9,
"vendor": "ipswitch",
"version": "8.11"
},
{
"model": "imail",
"scope": "eq",
"trust": 1.9,
"vendor": "ipswitch",
"version": "8.01"
},
{
"model": "imail",
"scope": "eq",
"trust": 0.8,
"vendor": "ipswitch",
"version": "8.01 to 8.11"
}
],
"sources": [
{
"db": "BID",
"id": "25762"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-004441"
},
{
"db": "CNNVD",
"id": "CNNVD-200709-391"
},
{
"db": "NVD",
"id": "CVE-2007-5094"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/a:ipswitch:imail",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2007-004441"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "axis axis@ph4nt0m)",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200709-391"
}
],
"trust": 0.6
},
"cve": "CVE-2007-5094",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2007-5094",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-28456",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2007-5094",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2007-5094",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-200709-391",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-28456",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-28456"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-004441"
},
{
"db": "CNNVD",
"id": "CNNVD-200709-391"
},
{
"db": "NVD",
"id": "CVE-2007-5094"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Heap-based buffer overflow in iaspam.dll in the SMTP Server in Ipswitch IMail Server 8.01 through 8.11 allows remote attackers to execute arbitrary code via a set of four different e-mail messages with a long boundary parameter in a certain malformed Content-Type header line, the string \"MIME\" by itself on a line in the header, and a long Content-Transfer-Encoding header line. Ipswitch IMail Server is prone to a buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer. \nAttackers may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. \nVersions between Ipswitch IMail Server 8.01 and 8.11 are vulnerable to this issue; other versions may also be affected. \nNOTE: This issue may be related to previously disclosed vulnerabilities in IMail, but due to a lack of information we cannot confirm this. We will update this BID as more information emerges. IPSwitch IMail is a Windows-based mail service program. There is a buffer overflow vulnerability in IPSwitch IMail\u0027s iaspam.dll, which may be exploited by remote attackers to control the server. Relevant details: loc_1001ada5 ==\u003e Pay attention to the difference in loading base address during dynamic debugging. mov eax, [ebp+var_54] mov ecx, [eax+10c8h] push ecx ; char * mov edx, [ebp+var_54] mov eax, [edx+10d0h] push eax ; char * call _strcpy add esp, 8 jmp loc_1001a6f0 Here, the two buffers of strcpy, the pointers of src and dst are read directly from the heap without any check before, so send a malicious email to the server (SMD file), and then control the two buffers at the subsequent offset address, you can copy any string to any memory",
"sources": [
{
"db": "NVD",
"id": "CVE-2007-5094"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-004441"
},
{
"db": "BID",
"id": "25762"
},
{
"db": "VULHUB",
"id": "VHN-28456"
}
],
"trust": 1.98
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-28456",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-28456"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2007-5094",
"trust": 2.8
},
{
"db": "BID",
"id": "25762",
"trust": 2.0
},
{
"db": "EXPLOIT-DB",
"id": "4438",
"trust": 1.7
},
{
"db": "OSVDB",
"id": "39390",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2007-004441",
"trust": 0.8
},
{
"db": "MILW0RM",
"id": "4438",
"trust": 0.6
},
{
"db": "XF",
"id": "36723",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-200709-391",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-28456",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-28456"
},
{
"db": "BID",
"id": "25762"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-004441"
},
{
"db": "CNNVD",
"id": "CNNVD-200709-391"
},
{
"db": "NVD",
"id": "CVE-2007-5094"
}
]
},
"id": "VAR-200709-0023",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-28456"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-10T23:07:25.365000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "IMail Server",
"trust": 0.8,
"url": "http://www.imailserver.com/"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2007-004441"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-28456"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-004441"
},
{
"db": "NVD",
"id": "CVE-2007-5094"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/25762"
},
{
"trust": 1.7,
"url": "http://pstgroup.blogspot.com/2007/09/exploitimail-iaspamdll-80x-remote-heap.html"
},
{
"trust": 1.7,
"url": "http://osvdb.org/39390"
},
{
"trust": 1.1,
"url": "https://www.exploit-db.com/exploits/4438"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36723"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5094"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-5094"
},
{
"trust": 0.6,
"url": "http://www.milw0rm.com/exploits/4438"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/36723"
},
{
"trust": 0.3,
"url": "http://www.ipswitch.com/products/imail_server/index.html"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-28456"
},
{
"db": "BID",
"id": "25762"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-004441"
},
{
"db": "CNNVD",
"id": "CNNVD-200709-391"
},
{
"db": "NVD",
"id": "CVE-2007-5094"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-28456"
},
{
"db": "BID",
"id": "25762"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-004441"
},
{
"db": "CNNVD",
"id": "CNNVD-200709-391"
},
{
"db": "NVD",
"id": "CVE-2007-5094"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2007-09-26T00:00:00",
"db": "VULHUB",
"id": "VHN-28456"
},
{
"date": "2007-09-21T00:00:00",
"db": "BID",
"id": "25762"
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2007-004441"
},
{
"date": "2007-09-26T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200709-391"
},
{
"date": "2007-09-26T22:17:00",
"db": "NVD",
"id": "CVE-2007-5094"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-09-29T00:00:00",
"db": "VULHUB",
"id": "VHN-28456"
},
{
"date": "2015-05-07T17:35:00",
"db": "BID",
"id": "25762"
},
{
"date": "2012-09-25T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2007-004441"
},
{
"date": "2007-11-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200709-391"
},
{
"date": "2025-04-09T00:30:58.490000",
"db": "NVD",
"id": "CVE-2007-5094"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200709-391"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ipswitch IMail SMTP Server IASPAM.DLL Remote Buffer Overflow Vulnerability",
"sources": [
{
"db": "BID",
"id": "25762"
},
{
"db": "CNNVD",
"id": "CNNVD-200709-391"
}
],
"trust": 0.9
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200709-391"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…