MailEnable IMAP A001 AUTHENTICATE Command Remote Overflow

2005-04-04T10:49:01
ID OSVDB:15231
Type osvdb
Reporter CorryL(corryl80@gmail.com), Expanders(expanders@gmail.com)
Modified 2005-04-04T10:49:01

Description

Vulnerability Description

A remote overflow exists in MailEnable. MailEnable fails to check bounds for input passed to "A001 AUTHENTICATE <buffer>" resulting in a buffer overflow. With a specially crafted request greater than 1016 bytes, an attacker can overwrite the ECX and EAX registers causing arbitrary code execution, resulting in a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, MailEnable has released a hotfix to address this vulnerability.

Short Description

A remote overflow exists in MailEnable. MailEnable fails to check bounds for input passed to "A001 AUTHENTICATE <buffer>" resulting in a buffer overflow. With a specially crafted request greater than 1016 bytes, an attacker can overwrite the ECX and EAX registers causing arbitrary code execution, resulting in a loss of integrity.

References:

Vendor URL: http://www.mailenable.com/ Vendor Specific Solution URL: http://www.mailenable.com/hotfix/MEIMSM-HF050425.zip Vendor Specific Solution URL: http://www.mailenable.com/hotfix/ Security Tracker: 1013637 Security Tracker: 1013799 Secunia Advisory ID:14812 Secunia Advisory ID:15068 Related OSVDB ID: 15232 Nessus Plugin ID:17974 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0078.html ISS X-Force ID: 19947 CVE-2005-1014 Bugtraq ID: 12995