CMailServer CMailCOM.dll MoveToFolder buffer overflow

2008-08-27T00:00:00
ID SAINT:6D0B0BE01FA4223EFC2A21C79B026D9A
Type saint
Reporter SAINT Corporation
Modified 2008-08-27T00:00:00

Description

Added: 08/27/2008
BID: 30098
OSVDB: 46750

Background

CMailServer is a mail and web mail server.

The CMailServer web interface includes the **CMailCOM.dll** component which provides several classes.

Problem

A buffer overflow vulnerability in the **MoveToFolder** method of the POP3 class in **CMailCOM.dll** allows a remote attacker to execute arbitrary commands by requesting the **mvmail.asp** script with specially crafted arguments.

Resolution

Upgrade to version 5.4.7, which will presumably contain a fix, or higher when available.

References

<http://secunia.com/advisories/30940/>

Limitations

Exploit works on CMailServer 5.4.6.

In order for this exploit to succeed on Windows XP, the account used for anonymous access must be the IIS guest account (IWAM_XXX).

Platforms

Windows 2000
Windows XP