MailEnable IMAP mailbox name buffer overflow

2005-11-29T00:00:00
ID SAINT:6A7981BF26831C0ADEF7EB7EA59A275D
Type saint
Reporter SAINT Corporation
Modified 2005-11-29T00:00:00

Description

Added: 11/29/2005
CVE: CVE-2005-3690
BID: 15492
OSVDB: 20929

Background

MailEnable is a mail server for Windows platforms. The standard edition supports the SMTP and POP3 protocols. MailEnable Professional and MailEnable Enterprise also support IMAP and HTTPMail.

Problem

A buffer overflow in the SELECT, CREATE, DELETE, RENAME, SUBSCRIBE, and UNSUBSCRIBE commands could allow an authenticated user to execute arbitrary commands using a long, specially crafted mailbox name.

Resolution

Upgrade to MailEnable Professional 1.7 or MailEnable Enterprise 1.1 with all needed hotfixes.

References

<http://secunia.com/secunia_research/2005-59/advisory/>

Limitations

Exploit works against MailEnable Professional 1.6. The vulnerable host must be able to connect back to a port on the attacking host. Exploit requires a valid IMAP user and password.

Platforms

Windows