Full Disclosure mailing list archives
Mercur SP4 IMAPD
From: mu-b <mu-b () digit-labs org>
Date: Tue, 20 Mar 2007 17:11:13 +0000
The attached exploits several signedness bugs in the NTLM implementation of Mercur IMAPD (www.atrium-software.com) to give the attacker complete control over a memcpy to a stack variable... (non-authenticated) In this case, memcpy(buf, src+a, b) with 'a', and 'b' being user controlled and buf ~7208 bytes. note due to the most important signedness issue, we can only control 'a' within the range -65535 < a < 65536... The result of the PoC is an simple crash trying to copy 0xffffffff bytes... (d94.1dc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0210a108 ebx=0210ac24 ecx=3fffeb08 edx=ffffffff esi=02110000 edi=0210f4e4 eip=0042e0d3 esp=021098c8 ebp=021098d0 iopl=0 nv up ei pl nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010207 *** WARNING: Unable to verify checksum for C:\Program Files\MERCUR\mcrimap4.exe *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MERCUR\mcrimap4.exe - mcrimap4!_GetExceptDLLinfo+0x2d05f: 0042e0d3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] es:0023:0210f4e4=00000000 ds:0023:02110000=??????? PoC: http://www.digit-labs.org/files/exploits/mercur-v1.pl -- mu-b (mu-b () digit-labs org) "Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct." - Anonymous, "P ?= NP" _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Mercur SP4 IMAPD mu-b (Mar 20)