MERCUR imapd SUBSCRIBE command buffer overflow

2007-03-27T00:00:00
ID SAINT:5B82A905D90DCF9334B7FDEDE2AE9E0C
Type saint
Reporter SAINT Corporation
Modified 2007-03-27T00:00:00

Description

Added: 03/27/2007
CVE: CVE-2007-1579
BID: 23050
OSVDB: 33546

Background

MERCUR Messaging Server is an e-mail server supporting the SMTP, POP3, and IMAP protocols for Windows platforms.

Problem

A buffer overflow vulnerability allows remote, authenticated attackers to execute arbitrary commands by sending a long, specially crafted SUBSCRIBE command to the IMAP service.

Resolution

Upgrade to MERCUR Messaging Server 5.0 SP5 or higher when available.

References

<http://secunia.com/advisories/24619/>

Limitations

Exploit works on MERCUR Messaging Server 5.0 SP3 and SP4 and requires a valid user name and password.

The number of characters in the mail domain should be correct in order for the exploit to succeed.

Platforms

Windows 2000
Windows Server 2003 SP0
Windows Server 2003 SP1 / Windows Server 2003