[Full-disclosure] [ACSSEC-2005-11-27-0x2] Remote Overflows in Mailenable Enterprise 1.1 / Professional 1.7

Type securityvulns
Reporter Securityvulns
Modified 2005-12-20T00:00:00


Re: See-Security Research and Development "A remote buffer overflow exists in MailEnable Enterprise 1.1 IMAP EXAMINE command, which allows for post authentication code execution. This vulnerability affects Mailenable Enterprise 1.1 without the ME-10009.EXE patch." -- There's a reason why the ME-10009 patch was released. You're welcome!

-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=- ACS Security Assessment Advisory - Buffer Overflow ID: ACSSEC-2005-11-27 - 0x2 Class: Buffer Overflow Package: MailEnable Enterprise Edition version 1.1 MailEnable Professional version 1.7 Build: Windows NT/2k/XP/2k3 Reported: Dec 01, 2005 Released: Dec 21, 2005 Remote: Yes Severity: Medium Credit: Tim Shelton <security-advisories@acs-inc.com> -=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=- -=[ Background MailEnable's mail server software provides a powerful, scalable hosted messaging platform for Microsoft Windows. MailEnable offers stability, unsurpassed flexibility and an extensive feature set which allows you to provide cost-effective mail services.

-=[ Technical Description Multiple vulnerabilities has been identified in MailEnable, which may be exploited by remote attackers to cause a denial of service, or could lead to remote execution of code. This issue is due to an error in the IMAP service that does not properly handle specially crafted requests.

-=[ Proof of Concepts IMAP REQUEST: '02 LIST /.:/' + Ax5000 IMAP REQUEST: '02 LSUB' /.:/ ('A' x 5000) request IMAP REQUEST: '02 UID FETCH /.:/' AX5000 ' FLAGS' IMAP REQUEST: '02 UID FETCH /...'x5 ' FLAGS' IMAP REQUEST: '02 UID FETCH '/\'x5000 ' Several others exist and all have been reported to the vendor. -=[ Solution According to Peter Fregon of MailEnable Pty. Ltd, these advisories have been patched in the latest ME-10009 Patch. Any further questions should be directed towards the vendor. http://www.mailenable.com/hotfix/default.asp -=[ Credits Vulnerability originally reported by Tim Shelton -=[ Similar References http://www.frsirt.com/english/advisories/2005/2579 http://www.frsirt.com/english/advisories/2005/2484 -=[ ChangeLog 2005-11-27 : Original Advisory 2005-12-01 : Notified Vendor 2005-12-03 : Vendor Response 2005-12-21 : Full Disclosure

-=[ Vendor Response

Sat 12/3/2005 1:41 AM Hi, Thanks for the information. We have posted a hotfix for this at the following URL: http://www.mailenable.com/hotfix We will also be updating our installation kits with this hotfix shortly.

Thanks Peter Fregon MailEnable Pty. Ltd.

Friday, 2 December 2005 03:02 All - Below is an internal advisory notification for MailEnable Enterprise Edition version 1.1 and possibly others. Attached is our Ethical Disclosure Policy. If you have any further questions, please do not hesitate to contact us. Thanks, Tim Shelton ACS Security Assessment Engineering