{"id": "MAILENABLE_IMAP_OVERFLOWS.NASL", "bulletinFamily": "scanner", "title": "MailEnable IMAP Server Multiple Remote Buffer Overflows", "description": "The target is running at least one instance of MailEnable's IMAP service. Two flaws exist in MailEnable Professional Edition 1.52 and earlier as well as MailEnable Enterprise Edition 1.01 and earlier - a stack-based buffer overflow and an object pointer overwrite. A remote attacker can use either vulnerability to execute arbitrary code on the target.", "published": "2004-11-30T00:00:00", "modified": "2011-04-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=15852", "reporter": "Tenable", "references": ["http://www.mailenable.com/hotfix/default.asp", "http://www.hat-squad.com/en/000102.html"], "cvelist": ["CVE-2004-2501"], "type": "nessus", "lastseen": "2016-09-26T17:26:07", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "301d322656089714fde4dfb60abae411"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "0fd333e06d05ac84c1ba8faf496e86bc"}, {"key": "href", "hash": "b8d8b03af178dce6de1c3ac301b0a3a8"}, {"key": "modified", "hash": "8d5c6ba0dc279f21c07956660f81787e"}, {"key": "naslFamily", "hash": "aea23489ce3aa9b6406ebb28e0cda430"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "pluginID", "hash": "61c68ac879a7ec23b78912aa04f59d78"}, {"key": "published", "hash": "ab3a7a8f8266834343b1f791b88653da"}, {"key": "references", "hash": "f1a4d4755ef6beb4146e2065e6bdb967"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "9265e1744b96351834f5b9a0bfd26619"}, {"key": "title", "hash": "7cb21f8ddd8bfabc11f229e0da135488"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "ae7f52ee2c16b73ca0bd22ae5a26a8220c472eb3378f2e012364c87337629849", "viewCount": 0, "objectVersion": "1.2", "sourceData": "#\n# This script was written by George A. Theall, <theall@tifaware.com>.\n#\n# See the Nessus Scripts License for details.\n#\n\n# Changes by Tenable:\n# - Revised plugin title (10/22/09)\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15852);\n script_version(\"$Revision: 1.16 $\");\n script_cvs_date(\"$Date: 2011/04/20 01:55:04 $\");\n\n script_cve_id(\"CVE-2004-2501\");\n script_bugtraq_id(11755);\n script_osvdb_id(12135, 12136);\n\n script_name(english:\"MailEnable IMAP Server Multiple Remote Buffer Overflows\");\n script_summary(english:\"Checks for Remote Buffer Overflows in MailEnable's IMAP Service\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote mail server is affected by several buffer overflow issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The target is running at least one instance of MailEnable's IMAP\nservice. Two flaws exist in MailEnable Professional Edition 1.52 and\nearlier as well as MailEnable Enterprise Edition 1.01 and earlier - a\nstack-based buffer overflow and an object pointer overwrite. A remote\nattacker can use either vulnerability to execute arbitrary code on the\ntarget.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.hat-squad.com/en/000102.html\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.mailenable.com/hotfix/default.asp\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the IMAP hotfix dated 25 November 2004.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:U/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/11/30\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2004/11/25\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mailenable:mailenable\");\n script_end_attributes();\n \n script_category(ACT_DENIAL);\n script_copyright(english:\"This script is Copyright (C) 2004-2011 George A. Theall\");\n script_family(english:\"Windows\");\n script_dependencie(\"find_service1.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/imap\", 143);\n script_exclude_keys(\"imap/false_imap\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\n\n# NB: MailEnable doesn't truly identify itself in the banner so we just\n# connect and send a long command to try to bring down the service \n# if it looks like it's MailEnable.\nport = get_kb_item(\"Services/imap\");\nif (!port) port = 143;\nif (!get_port_state(port)) exit(0);\nbanner = get_kb_item(\"imap/banner/\" + port);\nif (\"IMAP4rev1 server ready at\" >!< banner) exit(0);\n\n# Establish a connection.\nsoc = open_sock_tcp(port);\nif (!soc) exit(0);\n\n# Read banner.\ns = recv_line(socket:soc, length:1024);\nif (!strlen(s)) {\n close(soc);\n exit(0);\n}\ns = chomp(s);\n\n# Send a long command and see if the service crashes.\n#\n# nb: this tests only for the stack-based buffer overflow; the object\n# pointer overwrite vulnerability reportedly occurs in the same\n# versions so we just assume it's present if the former is.\nc = string(\"a1 \", crap(8202));\nsend(socket:soc, data:string(c, \"\\r\\n\"));\nwhile (s = recv_line(socket:soc, length:1024)) {\n s = chomp(s);\n m = eregmatch(pattern:\"^a1 (OK|BAD|NO)\", string:s, icase:TRUE);\n if (!isnull(m)) {\n resp = m[1];\n break;\n }\n resp='';\n}\n# If we don't get a response, make sure the service is truly down.\nif (!resp) {\n close(soc);\n soc = open_sock_tcp(port);\n if (!soc) {\n security_hole(port);\n exit(0);\n }\n}\n\n# Logout.\nc = string(\"a2\", \" LOGOUT\");\nsend(socket:soc, data:string(c, \"\\r\\n\"));\nwhile (s = recv_line(socket:soc, length:1024)) {\n s = chomp(s);\n m = eregmatch(pattern:\"^a2 (OK|BAD|NO)\", string:s, icase:TRUE);\n if (!isnull(m)) {\n resp = m[1];\n break;\n }\n}\nclose(soc);\n", "naslFamily": "Windows", "pluginID": "15852", "enchantments": {"vulnersScore": 6.4}}

{"result": {"cve": [{"id": "CVE-2004-2501", "type": "cve", "title": "CVE-2004-2501", "description": "Buffer overflow in the IMAP service of MailEnable Professional Edition 1.52 and Enterprise Edition 1.01 allows remote attackers to execute arbitrary code via (1) a long command string or (2) a long string to the MEIMAP service and then terminating the connection.", "published": "2004-12-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2501", "cvelist": ["CVE-2004-2501"], "lastseen": "2016-09-03T04:53:12"}], "exploitdb": [{"id": "EDB-ID:658", "type": "exploitdb", "title": "MailEnable Mail Server IMAP <= 1.52 - Remote Buffer Overflow Exploit", "description": "MailEnable Mail Server IMAP <= 1.52 Remote Buffer Overflow Exploit. CVE-2004-2501. Remote exploit for windows platform", "published": "2004-11-25T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/658/", "cvelist": ["CVE-2004-2501"], "lastseen": "2016-01-31T12:37:34"}], "seebug": [{"id": "SSV-62925", "type": "seebug", "title": "MailEnable Mail Server IMAP <= 1.52 Remote Buffer Overflow Exploit", "description": "Summary: \nMailEnable Professional Edition 1.52 and Enterprise Edition 1.01 version of the IMAP service there is a buffer overflow vulnerability. A remote attacker by means of\uff081\uff09super-long command strings or\uff082\uff09MEIMAP service of the super-long string to execute arbitrary code and then terminate the connection.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-62925", "cvelist": ["CVE-2004-2501"], "lastseen": "2016-07-30T04:28:45"}], "saint": [{"id": "SAINT:A0C3986DB61A9A331F28B8A2E57AD8BC", "type": "saint", "title": "MailEnable IMAP command buffer overflow", "description": "Added: 01/24/2006 \nCVE: [CVE-2004-2501](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2501>) \nBID: [11755](<http://www.securityfocus.com/bid/11755>) \nOSVDB: [12135](<http://www.osvdb.org/12135>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server supporting SMTP and POP3 for Windows platforms. MailEnable Professional and MailEnable Enterprise also include IMAP and HTTPMail services. \n\n### Problem\n\nA buffer overflow in the IMAP service allows an unauthenticated attacker to execute commands by sending a very long command. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to the latest version of MailEnable with all needed [hotfixes](<http://www.mailenable.com/hotfix/>). \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2004-11/0349.html> \n\n\n### Limitations\n\nExploit works on MailEnable Professional 1.52. \n\n### Platforms\n\nWindows \n \n\n", "published": "2006-01-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_command", "cvelist": ["CVE-2004-2501"], "lastseen": "2017-01-10T14:03:42"}, {"id": "SAINT:9E224E965DDC130425E19653A8D2F2E1", "type": "saint", "title": "MailEnable IMAP command buffer overflow", "description": "Added: 01/24/2006 \nCVE: [CVE-2004-2501](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2501>) \nBID: [11755](<http://www.securityfocus.com/bid/11755>) \nOSVDB: [12135](<http://www.osvdb.org/12135>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server supporting SMTP and POP3 for Windows platforms. MailEnable Professional and MailEnable Enterprise also include IMAP and HTTPMail services. \n\n### Problem\n\nA buffer overflow in the IMAP service allows an unauthenticated attacker to execute commands by sending a very long command. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to the latest version of MailEnable with all needed [hotfixes](<http://www.mailenable.com/hotfix/>). \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2004-11/0349.html> \n\n\n### Limitations\n\nExploit works on MailEnable Professional 1.52. \n\n### Platforms\n\nWindows \n \n\n", "published": "2006-01-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_command", "cvelist": ["CVE-2004-2501"], "lastseen": "2016-12-14T16:58:07"}, {"id": "SAINT:522D5E14B69A5A58858F116BA2C1EDD9", "type": "saint", "title": "MailEnable IMAP command buffer overflow", "description": "Added: 01/24/2006 \nCVE: [CVE-2004-2501](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2501>) \nBID: [11755](<http://www.securityfocus.com/bid/11755>) \nOSVDB: [12135](<http://www.osvdb.org/12135>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server supporting SMTP and POP3 for Windows platforms. MailEnable Professional and MailEnable Enterprise also include IMAP and HTTPMail services. \n\n### Problem\n\nA buffer overflow in the IMAP service allows an unauthenticated attacker to execute commands by sending a very long command. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to the latest version of MailEnable with all needed [hotfixes](<http://www.mailenable.com/hotfix/>). \n\n### References\n\n<http://archives.neohapsis.com/archives/bugtraq/2004-11/0349.html> \n\n\n### Limitations\n\nExploit works on MailEnable Professional 1.52. \n\n### Platforms\n\nWindows \n \n\n", "published": "2006-01-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_command", "cvelist": ["CVE-2004-2501"], "lastseen": "2016-10-03T15:01:55"}], "openvas": [{"id": "OPENVAS:15852", "type": "openvas", "title": "MailEnable IMAP Service Remote Buffer Overflows", "description": "The target is running at least one instance of MailEnable's IMAP\nservice. Two flaws exist in MailEnable Professional Edition 1.52 and\nearlier as well as MailEnable Enterprise Edition 1.01 and earlier - a\nstack-based buffer overflow and an object pointer overwrite. A remote\nattacker can use either vulnerability to execute arbitrary code on the\ntarget. More information is available at :\n\n http://www.hat-squad.com/en/000102.html", "published": "2005-11-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=15852", "cvelist": ["CVE-2004-2501"], "lastseen": "2017-05-16T12:32:50"}]}}