Full Disclosure mailing list archives
MailEnable Imapd remote BoF + Exploit [x0n3-h4ck]
From: "expanders" <expanders () libero it>
Date: Tue, 5 Apr 2005 19:31:09 +0200
-=[--------------------------------ADVISORY---------------------- -=[ -=[ MailEnable Enterprise & Pro remote BoF -=[ -=[ Author: Expanders [expanders () gmail com] -=[ CorryL [corryl80 () gmail com] -=[ -=[ www.x0n3-h3ck.org -=[------------------------------------------------------------------------ -=[+] Application: Mail Enable Imapd ( MEIMAP.exe ) -=[+] Version: (Enterprise <= 1.04)-(Professional <= 1.54) -=[+] Vendor's URL: www.mailenable.com -=[+] Platform: Windows -=[+] Bug type: Buffer overflow -=[+] Exploitation: Remote/Local -=[-] -=[+] Author: Expanders ~ expanders[at]gmail[dot]com ~ -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Reference: www.x0n3-h4ck.org ..::[ Descriprion ]::.. MailEnable's mail server software provides a powerful, scalable hosted messaging platform for Microsoft Windows. MailEnable offers stability, unsurpassed flexibility and an extensive feature set which allows you to provide cost-effective mail services. ..::[ Bug ]::.. Imapd service is buffer overflow vulnerable at "A001 AUTHENTICATE <buffer>" command. Passing a buffer greater than 1016 bytes will overwrite ECX and EAX register allowing remote attacker to execute arbitraty code on the vulnerable server. ..::[ Proof Of Concept ]::.. A001 AUTHENTICATE "A"x1024 ..::[ Exploit ]::.. Attached or: http://www.x0n3-h4ck.org/upload/x0n3-h4ck_MailEnable_Imapd.c ..::[ Workaround ]::.. There is no workaround ..::[ Path or Fix ]::.. http://www.mailenable.com/hotfix http://www.mailenable.com/hotfix/MEIMSM-HF050404.zip ..::[ Disclousure Timeline ]::.. [02/04/2005] - Vendor notification [03/04/2005] - Vendor Response [03/04/2005] - Hotfix relased by vendor [05/04/2005] - Public disclousure
Attachment:
x0n3-h4ck_MailEnable_Imapd.c
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MailEnable Imapd remote BoF + Exploit [x0n3-h4ck] expanders (Apr 05)
- Re: MailEnable Imapd remote BoF + Exploit [x0n3-h4ck] H D Moore (Apr 06)