{"edition": 1, "title": "MailEnable IMAP Service (MEIMAPS.EXE) Multiple Command Remote Overflow", "bulletinFamily": "software", "published": "2005-11-18T02:48:18", "lastseen": "2017-04-28T13:20:17", "modified": "2005-11-18T02:48:18", "reporter": "Tan Chew Keong(vuln@secunia.com)", "viewCount": 6, "href": "https://vulners.com/osvdb/OSVDB:20929", "description": "## Vulnerability Description\nA remote overflow exists in MailEnable. The 'MEIMAPS.EXE' service fails to perform proper bounds checking resulting in a stack-based buffer overflow. With a specially crafted request containing an overly long mailbox name to the 'select', 'create', 'delete', 'rename', 'subscribe' and 'unsubcribe' commands, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to MailEnable Professional version 1.7 or higher, as it has been reported to fix this vulnerability. In addition, MailEnable has released a patch.\n## Short Description\nA remote overflow exists in MailEnable. The 'MEIMAPS.EXE' service fails to perform proper bounds checking resulting in a stack-based buffer overflow. With a specially crafted request containing an overly long mailbox name to the 'select', 'create', 'delete', 'rename', 'subscribe' and 'unsubcribe' commands, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.mailenable.com/\nVendor Specific Solution URL: http://www.mailenable.com/hotfix/ME-10008.EXE\nSecurity Tracker: 1015239\n[Secunia Advisory ID:17633](https://secuniaresearch.flexerasoftware.com/advisories/17633/)\n[Related OSVDB ID: 20930](https://vulners.com/osvdb/OSVDB:20930)\nOther Advisory URL: http://secunia.com/secunia_research/2005-59/advisory/\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0581.html\nKeyword: ME-10008\nISS X-Force ID: 23110\nFrSIRT Advisory: ADV-2005-2484\n[CVE-2005-3690](https://vulners.com/cve/CVE-2005-3690)\nBugtraq ID: 15492\n", "affectedSoftware": [{"name": "MailEnable Enterprise", "version": "1.1", "operator": "eq"}, {"name": "MailEnable Professional", "version": "1.6", "operator": "eq"}], "type": "osvdb", "references": [], "enchantments": {"score": {"value": 8.2, "vector": "NONE", "modified": "2017-04-28T13:20:17", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3690"]}, {"type": "saint", "idList": ["SAINT:6A7981BF26831C0ADEF7EB7EA59A275D", "SAINT:4EB718DA1ECBC3F0AE650F628EBE045A", "SAINT:06326FAA946024476AB3FFFC933E6DAD"]}, {"type": "nessus", "idList": ["MAILENABLE_IMAP_17.NASL"]}], "modified": "2017-04-28T13:20:17", "rev": 2}, "vulnersScore": 8.2}, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "cvelist": ["CVE-2005-3690"], "id": "OSVDB:20929"}

{"cve": [{"lastseen": "2020-12-09T19:22:22", "description": "Stack-based buffer overflow in the IMAP service (meimaps.exe) of MailEnable Professional 1.6 and earlier and Enterprise 1.1 and earlier allows remote attackers to execute arbitrary code via a long mailbox name in the (1) select, (2) create, (3) delete, (4) rename, (5) subscribe, or (6) unsubscribe commands.", "edition": 5, "cvss3": {}, "published": "2005-11-19T01:03:00", "title": "CVE-2005-3690", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-3690"], "modified": "2017-07-11T01:33:00", "cpe": ["cpe:/a:mailenable:mailenable_professional:1.6", "cpe:/a:mailenable:mailenable_enterprise:1.1"], "id": "CVE-2005-3690", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3690", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:mailenable:mailenable_professional:1.6:*:*:*:*:*:*:*", "cpe:2.3:a:mailenable:mailenable_enterprise:1.1:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-3690"], "description": "Added: 11/29/2005 \nCVE: [CVE-2005-3690](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3690>) \nBID: [15492](<http://www.securityfocus.com/bid/15492>) \nOSVDB: [20929](<http://www.osvdb.org/20929>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server for Windows platforms. The standard edition supports the SMTP and POP3 protocols. MailEnable Professional and MailEnable Enterprise also support IMAP and HTTPMail. \n\n### Problem\n\nA buffer overflow in the SELECT, CREATE, DELETE, RENAME, SUBSCRIBE, and UNSUBSCRIBE commands could allow an authenticated user to execute arbitrary commands using a long, specially crafted mailbox name. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to MailEnable Professional 1.7 or MailEnable Enterprise 1.1 with all needed [hotfixes](<http://www.mailenable.com/hotfix>). \n\n### References\n\n<http://secunia.com/secunia_research/2005-59/advisory/> \n\n\n### Limitations\n\nExploit works against MailEnable Professional 1.6. The vulnerable host must be able to connect back to a port on the attacking host. Exploit requires a valid IMAP user and password. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2005-11-29T00:00:00", "published": "2005-11-29T00:00:00", "id": "SAINT:6A7981BF26831C0ADEF7EB7EA59A275D", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_mailbox", "type": "saint", "title": "MailEnable IMAP mailbox name buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T17:19:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-3690"], "edition": 2, "description": "Added: 11/29/2005 \nCVE: [CVE-2005-3690](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3690>) \nBID: [15492](<http://www.securityfocus.com/bid/15492>) \nOSVDB: [20929](<http://www.osvdb.org/20929>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server for Windows platforms. The standard edition supports the SMTP and POP3 protocols. MailEnable Professional and MailEnable Enterprise also support IMAP and HTTPMail. \n\n### Problem\n\nA buffer overflow in the SELECT, CREATE, DELETE, RENAME, SUBSCRIBE, and UNSUBSCRIBE commands could allow an authenticated user to execute arbitrary commands using a long, specially crafted mailbox name. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to MailEnable Professional 1.7 or MailEnable Enterprise 1.1 with all needed [hotfixes](<http://www.mailenable.com/hotfix>). \n\n### References\n\n<http://secunia.com/secunia_research/2005-59/advisory/> \n\n\n### Limitations\n\nExploit works against MailEnable Professional 1.6. The vulnerable host must be able to connect back to a port on the attacking host. Exploit requires a valid IMAP user and password. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2005-11-29T00:00:00", "published": "2005-11-29T00:00:00", "id": "SAINT:4EB718DA1ECBC3F0AE650F628EBE045A", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_mailbox", "type": "saint", "title": "MailEnable IMAP mailbox name buffer overflow", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-04T23:19:38", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-3690"], "description": "Added: 11/29/2005 \nCVE: [CVE-2005-3690](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3690>) \nBID: [15492](<http://www.securityfocus.com/bid/15492>) \nOSVDB: [20929](<http://www.osvdb.org/20929>) \n\n\n### Background\n\n[MailEnable](<http://www.mailenable.com>) is a mail server for Windows platforms. The standard edition supports the SMTP and POP3 protocols. MailEnable Professional and MailEnable Enterprise also support IMAP and HTTPMail. \n\n### Problem\n\nA buffer overflow in the SELECT, CREATE, DELETE, RENAME, SUBSCRIBE, and UNSUBSCRIBE commands could allow an authenticated user to execute arbitrary commands using a long, specially crafted mailbox name. \n\n### Resolution\n\n[Upgrade](<http://www.mailenable.com/download.asp>) to MailEnable Professional 1.7 or MailEnable Enterprise 1.1 with all needed [hotfixes](<http://www.mailenable.com/hotfix>). \n\n### References\n\n<http://secunia.com/secunia_research/2005-59/advisory/> \n\n\n### Limitations\n\nExploit works against MailEnable Professional 1.6. The vulnerable host must be able to connect back to a port on the attacking host. Exploit requires a valid IMAP user and password. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2005-11-29T00:00:00", "published": "2005-11-29T00:00:00", "id": "SAINT:06326FAA946024476AB3FFFC933E6DAD", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/mailenable_imap_mailbox", "title": "MailEnable IMAP mailbox name buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-01T03:41:33", "description": "The remote host is running MailEnable, a commercial mail server for\nWindows. \n\nThe IMAP server bundled with the version of MailEnable Professional or\nEnterprise Edition installed on the remote host is prone to a\nstack-based buffer overflow when handling an overly-long mailbox name\nin certain commands. An authenticated attacker may be able to\nleverage this issue to execute arbitrary code remotely as the SYSTEM\nuser. \n\nIt also fails to filter directory traversal sequences from mailbox\nnames passed to the 'CREATE' and 'RENAME' commands. An authenticated\nattacker can exploit these issues to create arbitrary directories on\nthe affected host and to cause a denial of service by renaming the\nmail directories of other users.", "edition": 26, "published": "2005-11-20T00:00:00", "title": "MailEnable < 1.7 IMAP Server Multiple Vulnerabilities (ME-100008)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-3691", "CVE-2005-3690"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:mailenable:mailenable"], "id": "MAILENABLE_IMAP_17.NASL", "href": "https://www.tenable.com/plugins/nessus/20226", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20226);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2005-3690\", \"CVE-2005-3691\");\n script_bugtraq_id(15492, 15494);\n\n script_name(english:\"MailEnable < 1.7 IMAP Server Multiple Vulnerabilities (ME-100008)\");\n script_summary(english:\"Checks for buffer overflow and directory traversal vulnerabilities in MailEnable IMAP server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote IMAP server is affected by buffer overflow and directory\ntraversal vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running MailEnable, a commercial mail server for\nWindows. \n\nThe IMAP server bundled with the version of MailEnable Professional or\nEnterprise Edition installed on the remote host is prone to a\nstack-based buffer overflow when handling an overly-long mailbox name\nin certain commands. An authenticated attacker may be able to\nleverage this issue to execute arbitrary code remotely as the SYSTEM\nuser. \n\nIt also fails to filter directory traversal sequences from mailbox\nnames passed to the 'CREATE' and 'RENAME' commands. An authenticated\nattacker can exploit these issues to create arbitrary directories on\nthe affected host and to cause a denial of service by renaming the\nmail directories of other users.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://secuniaresearch.flexerasoftware.com/community/research/\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.mailenable.com/hotfix/\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MailEnable Professional 1.7 or later. Or apply ME-100008,\nthe IMAP Cumulative Hotfix dated November 18th, 2005, referenced in\nthe vendor URL above.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/11/20\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/11/18\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mailenable:mailenable\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n \n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"imap_overflow.nasl\");\n script_require_keys(\"imap/login\", \"imap/password\");\n script_exclude_keys(\"imap/false_imap\", \"imap/overflow\");\n script_require_ports(\"Services/imap\", 143);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nport = get_kb_item(\"Services/imap\");\nif (!port) port = 143;\nif (!get_port_state(port) || get_kb_item(\"imap/false_imap\")) exit(0);\n\n\nuser = get_kb_item(\"imap/login\");\npass = get_kb_item(\"imap/password\");\nif (!user || !pass) {\n exit(0, \"imap/login and/or imap/password are empty\");\n}\n\n\n# Establish a connection.\ntag = 0;\nsoc = open_sock_tcp(port);\nif (!soc) exit(0);\n\n\n# Read banner and make sure it looks like MailEnable's.\ns = recv_line(socket:soc, length:1024);\nif (\n !strlen(s) || \n \"IMAP4rev1 server ready at\" >!< s\n) {\n close(soc);\n exit(0);\n}\n\n\n# Try to log in.\n++tag;\nresp = NULL;\nc = string(\"nessus\", string(tag), \" LOGIN \", user, \" \", pass);\nsend(socket:soc, data:string(c, \"\\r\\n\"));\nwhile (s = recv_line(socket:soc, length:1024)) {\n s = chomp(s);\n m = eregmatch(pattern:string(\"^nessus\", string(tag), \" (OK|BAD|NO)\"), string:s, icase:TRUE);\n if (!isnull(m)) {\n resp = m[1];\n break;\n }\n}\n\n\n# If successful, try to exploit the flaw.\nif (resp && resp =~ \"OK\") {\n ++tag;\n resp = NULL;\n # nb: this creates a random directory in MailEnable's installation directory.\n mailbox = string(SCRIPT_NAME, \"_\", rand_str());\n c = string(\"nessus\", string(tag), \" CREATE ../../../../\", mailbox);\n send(socket:soc, data:string(c, \"\\r\\n\"));\n while (s = recv_line(socket:soc, length:1024)) {\n s = chomp(s);\n m = eregmatch(pattern:string(\"^nessus\", string(tag), \" (OK|BAD|NO)\"), string:s, icase:TRUE);\n if (!isnull(m)) {\n resp = m[1];\n break;\n }\n }\n\n # There's a problem if we were successful; ie,\n # \"nessus2 OK CREATE completed\" vs \"nessus2 BAD Invalid parameters\".\n if (resp && resp =~ \"OK\" && \"CREATE completed\" >< s) {\n if (report_verbosity > 0) {\n report = string(\n \"Nessus was able to create the following directory on the remote\\n\",\n \"host, under the directory in which MailEnable is installed:\\n\",\n \"\\n\",\n mailbox\n );\n }\n else report = NULL;\n\n security_hole(port:port, extra:report);\n }\n}\nelse if (resp =~ \"NO\") {\n debug_print(\"couldn't login with supplied IMAP credentials!\", level:1);\n}\n\n\n# Logout.\n++tag;\nresp = NULL;\nc = string(\"nessus\", string(tag), \" LOGOUT\");\nsend(socket:soc, data:string(c, \"\\r\\n\"));\nwhile (s = recv_line(socket:soc, length:1024)) {\n s = chomp(s);\n m = eregmatch(pattern:string(\"^nessus\", string(tag), \" (OK|BAD|NO)\"), string:s, icase:TRUE);\n if (!isnull(m)) {\n resp = m[1];\n break;\n }\n}\nclose(soc);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}