Mercur Messaging IMAP SUBSCRIBE Command Overflow

2007-03-20T05:49:35
ID OSVDB:33546
Type osvdb
Reporter Winny Thomas()
Modified 2007-03-20T05:49:35

Description

Vulnerability Description

A remote overflow exists in Mercur Messaging Server. The IMAP service (MCRIMAP4.EXE) fails to properly check boundaries when processing a SUBSCRIBE command with an overly long (greater than 260 bytes) argument resulting in a stack-based overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

A remote overflow exists in Mercur Messaging Server. The IMAP service (MCRIMAP4.EXE) fails to properly check boundaries when processing a SUBSCRIBE command with an overly long (greater than 260 bytes) argument resulting in a stack-based overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

References:

Secunia Advisory ID:24619 Other Advisory URL: https://www.immunityinc.com/downloads/immpartners/MercurImapSubscribe.tar Mail List Post: http://whitestar.linuxbox.org/pipermail/exploits/2007-March/000163.html Generic Exploit URL: http://www.milw0rm.com/exploits/3537 CVE-2007-1579 Bugtraq ID: 23050