Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.MERCUR_IMAP_NTLM_OVERFLOW.NASL
HistoryApr 30, 2007 - 12:00 a.m.

MERCUR Messaging IMAP Server NTLM Authentication NTLMSSP Argument Remote Overflow

2007-04-3000:00:00
This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
www.tenable.com
27
JSON

The remote host is running MERCUR Messaging, a commercial mail server for Windows.

The IMAP server component of MERCUR Messaging is affected by a buffer overflow vulnerability involving its support for NTLM authentication. An unauthenticated, remote attacker can leverage this issue to crash the IMAP service or execute arbitrary code remotely.

Note that MERCUR Messaging’s IMAP server runs as a service with LOCAL SYSTEM privileges by default.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(25118);
  script_version("1.16");

  script_cve_id("CVE-2007-1578");
  script_bugtraq_id(23058);
  script_xref(name:"EDB-ID", value:"3527");

  script_name(english:"MERCUR Messaging IMAP Server NTLM Authentication NTLMSSP Argument Remote Overflow");
  script_summary(english:"Tries to crash MERCUR's IMAP Server");

 script_set_attribute(attribute:"synopsis", value:
"The remote mail server is vulnerable to a buffer overflow attack." );
 script_set_attribute(attribute:"description", value:
"The remote host is running MERCUR Messaging, a commercial mail server
for Windows. 

The IMAP server component of MERCUR Messaging is affected by a buffer
overflow vulnerability involving its support for NTLM authentication. 
An unauthenticated, remote attacker can leverage this issue to crash
the IMAP service or execute arbitrary code remotely. 

Note that MERCUR Messaging's IMAP server runs as a service with LOCAL
SYSTEM privileges by default." );
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2007/04/30");
 script_set_attribute(attribute:"vuln_publication_date", value: "2007/03/20");
 script_cvs_date("Date: 2018/07/14  1:59:35");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Gain a shell remotely");
  script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
  script_dependencies("smtpserver_detect.nasl", "popserver_detect.nasl", "imap4_banner.nasl");
  if (NASL_LEVEL >= 3000 )
    script_require_ports("Services/smtp", 25, "Services/pop3", 110, "Services/imap", 143, 32000);

  exit(0);
}


include("global_settings.inc");
include("imap_func.inc");
include("misc_func.inc");
include("pop3_func.inc");
include("smtp_func.inc");


# Do banner checks of various ports. 
#
# - SMTP.
port = get_kb_item("Services/smtp");
if (!port) port = 25;
banner = get_smtp_banner(port:port);
if (banner)
{
  # nb: banner for 2005 SP4 reads, in part, "MERCUR SMTP Server (v5.00.19".
  if (egrep(pattern:"^[0-9][0-9][0-9] .* MERCUR SMTP Server \(v([0-4]\.|5\.00\.(0[0-9]|1[0-9]))", string:banner))
  {
    security_hole(port);
    exit(0);
  }
  # Unless we're being paranoid, stop after getting the banner.
  if (report_paranoia < 2) exit(0);
}
# - POP3.
port = get_kb_item("Services/pop3");
if (!port) port = 110;
banner = get_pop3_banner(port:port);
if (banner)
{
  # nb: banner for 2005 SP4 reads, in part, "MERCUR POP3-Server (v5.00.12".
  if (egrep(pattern:"^(\+OK|-ERR) MERCUR POP3-Server \(v([0-4]\.|5\.00\.(0[0-9]|1[0-2]))", string:banner))
  {
    security_hole(port);
    exit(0);
  }
  # Unless we're being paranoid, stop after getting the banner.
  if (report_paranoia < 2) exit(0);
}
# - IMAP.
port = get_kb_item("Services/imap");
if (!port) port = 143;
banner = get_imap_banner(port:port);
if (banner)
{
  # nb: banner for 2005 SP4 reads, in part, "MERCUR IMAP4-Server (v5.00.14".
  if (egrep(pattern:"^\* (OK|BAD|NO) MERCUR IMAP4-Server \(v([0-4]\.|5\.00\.(0[0-9]|1[0-4]))", string:banner))
  {
    security_hole(port);
    exit(0);
  }
  # Unless we're being paranoid, stop after getting the banner.
  if (report_paranoia < 2) exit(0);
}
# - MERCUR Control Service
port = 32000;
banner = get_unknown_banner(port:port);
if (banner)
{
  # nb: banner for 2005 SP4 reads, in part, "MERCUR Control-Service (v5.00.14".
  if (egrep(pattern:"^MERCUR Control-Service \(v([0-4]\.|5\.00\.(0[0-9]|1[0-4]))", string:banner))
  {
    security_hole(port);
    exit(0);
  }
  # Unless we're being paranoid, stop after getting the banner.
  if (report_paranoia < 2) exit(0);
}

Related

saint 4
checkpoint_advisories 1
prion 1
cvelist 1
cve 1
securityvulns 1
saint
saint
MERCUR imapd NTLMSSP
2007-04-03 00:00:00
MERCUR imapd NTLMSSP
2007-04-03 00:00:00
MERCUR imapd NTLMSSP
2007-04-03 00:00:00
checkpoint_advisories
checkpoint_advisories
Atrium Software MERCUR IMAPD NTLMSSP Command Handling Memory Corruption (CVE-2007-1578)
2010-06-06 00:00:00
prion
prion
Stack overflow
2007-03-21 23:19:00
cvelist
cvelist
CVE-2007-1578
2007-03-21 23:00:00
cve
cve
CVE-2007-1578
2007-03-21 23:19:00
securityvulns
securityvulns
Atrium Mercur Mailserver IMAPD buffer overflow
2007-03-22 00:00:00
JSON
Related for MERCUR_IMAP_NTLM_OVERFLOW.NASL
saint4checkpoint_advisories1prion1cvelist1cve1securityvulns1