[Full-disclosure] MailEnable Imapd remote BoF + Exploit [x0n3-h4ck]

2005-04-07T00:00:00
ID SECURITYVULNS:DOC:8252
Type securityvulns
Reporter Securityvulns
Modified 2005-04-07T00:00:00

Description

-=[--------------------------------ADVISORY---------------------- -=[ -=[ MailEnable Enterprise & Pro remote BoF -=[ -=[ Author: Expanders [expanders@gmail.com] -=[ CorryL [corryl80@gmail.com] -=[ -=[ www.x0n3-h3ck.org -=[------------------------------------------------------------------------

-=[+] Application: Mail Enable Imapd ( MEIMAP.exe ) -=[+] Version: (Enterprise <= 1.04)-(Professional <= 1.54) -=[+] Vendor's URL: www.mailenable.com -=[+] Platform: Windows -=[+] Bug type: Buffer overflow -=[+] Exploitation: Remote/Local -=[-] -=[+] Author: Expanders ~ expanders[at]gmail[dot]com ~ -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Reference: www.x0n3-h4ck.org

..::[ Descriprion ]::..

MailEnable's mail server software provides a powerful, scalable hosted messaging platform for Microsoft Windows. MailEnable offers stability, unsurpassed flexibility and an extensive feature set which allows you to provide cost-effective mail services.

..::[ Bug ]::..

Imapd service is buffer overflow vulnerable at "A001 AUTHENTICATE <buffer>" command. Passing a buffer greater than 1016 bytes will overwrite ECX and EAX register allowing remote attacker to execute arbitraty code on the vulnerable server.

..::[ Proof Of Concept ]::..

A001 AUTHENTICATE "A"x1024

..::[ Exploit ]::..

Attached or:

http://www.x0n3-h4ck.org/upload/x0n3-h4ck_MailEnable_Imapd.c

..::[ Workaround ]::..

There is no workaround

..::[ Path or Fix ]::..

http://www.mailenable.com/hotfix http://www.mailenable.com/hotfix/MEIMSM-HF050404.zip

..::[ Disclousure Timeline ]::..

[02/04/2005] - Vendor notification [03/04/2005] - Vendor Response [03/04/2005] - Hotfix relased by vendor [05/04/2005] - Public disclousure