Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

MailEnable Imapd remote BoF + Exploit [x0n3-h4ck]

From: "expanders" <expanders () libero it>
Date: Tue, 5 Apr 2005 19:31:09 +0200
-=[--------------------------------ADVISORY----------------------
-=[
-=[    MailEnable Enterprise & Pro remote BoF
-=[
-=[  Author: Expanders  [expanders () gmail com]
-=[              CorryL     [corryl80 () gmail com]
-=[
-=[                             www.x0n3-h3ck.org
-=[------------------------------------------------------------------------


-=[+] Application:    Mail Enable Imapd ( MEIMAP.exe )
-=[+] Version:        (Enterprise <= 1.04)-(Professional <= 1.54)
-=[+] Vendor's URL:   www.mailenable.com
-=[+] Platform:       Windows
-=[+] Bug type:       Buffer overflow
-=[+] Exploitation:   Remote/Local
-=[-]
-=[+] Author:         Expanders  ~ expanders[at]gmail[dot]com ~
-=[+] Author:         CorryL     ~  corryl80[at]gmail[dot]com ~
-=[+] Reference:      www.x0n3-h4ck.org


..::[ Descriprion ]::..

MailEnable's mail server software provides a powerful, 
scalable hosted messaging platform for Microsoft Windows. 
MailEnable offers stability, unsurpassed flexibility and 
an extensive feature set which allows you to provide
cost-effective mail services.


..::[ Bug ]::..

Imapd service is buffer overflow vulnerable at "A001 AUTHENTICATE <buffer>" command.
Passing a buffer greater than 1016 bytes will overwrite ECX and EAX register allowing remote 
attacker to execute arbitraty code on the vulnerable server.


..::[ Proof Of Concept ]::..

A001 AUTHENTICATE "A"x1024

..::[ Exploit ]::..

Attached or:

http://www.x0n3-h4ck.org/upload/x0n3-h4ck_MailEnable_Imapd.c

..::[ Workaround ]::..

There is no workaround

..::[ Path or Fix ]::..

http://www.mailenable.com/hotfix
http://www.mailenable.com/hotfix/MEIMSM-HF050404.zip


..::[ Disclousure Timeline ]::..

[02/04/2005] - Vendor notification
[03/04/2005] - Vendor Response
[03/04/2005] - Hotfix relased by vendor
[05/04/2005] - Public disclousure

Attachment: x0n3-h4ck_MailEnable_Imapd.c
Description: 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: