lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: kostya.kortchinsky at renater.fr (Kostya KORTCHINSKY)
Subject: Vulnerability in MERCUR Mail Server v4.2 SP3 and below

Vulnerability in MERCUR Mail Server v4.2 SP3 and below
------------------------------------------------------

To K-Otik (or any other) : the vulnerability was *not* discovered by
Qualys as stated on your site.

Summary
-------

http://www.atrium-software.com/

MERCUR Mail Server offers the necessary features to provide an efficient
and effective communications medium. These include Security features
using IP-Caching Firewall, NORMAN Virus Control Engine, check open relay
database by using DNS, Remote Configuration via a Web Browser,
Dial-Up-connectivity (Modem, ISDN-Card), dedicated connectivity
(ISDN-Router) or connectivity over the network (Router) to your ISP.

MERCUR Mail Server Version 4.2 is designed for Windows NT 4.0
Workstation and Server, Windows 2000 Professional and Server as well as
Windows XP acquire a email server all the Extras.

Vulnerability
-------------

I have found a vulnerability in MERCUR Mailserver allowing remote 
command execution for an unauthenticated user and managed to write a
working exploit for it on a Windows 2000 SP4 French with MERCUR
Mailserver (v4.2 SP3 Unregistered) for Windows NT, giving remote access
to a cmd.exe with System privileges.

The vulnerability is located in the base64 decoding routine which
doesn't check the length of the supplied data and hence decodes and
writes everything it can until nothing is left. But there are cases when
the destination buffer is small enough (and on the stack) so that a
buffer overflow will give us the control of EBP and EIP, and then allow
remote code execution.

For the SMTP component, the command I used in the exploit is "AUTH PLAIN
Base64String". By carefully constructing the buffer to encode ([0x10C
DATA],[EBP],[EIP]), encoding it and sending it, we trigger the overflow
and gain control of code execution. Here is the disassembled source of
the faulty section :

CODE:00424FB8                 push    eax ; length of data
CODE:00424FB9                 lea     edx, [ebp+var_10C] ; only 0x10C 
bytes above EBP !
CODE:00424FBF                 push    edx ; destination buffer
CODE:00424FC0                 push    edi ; source buffer
CODE:00424FC1                 call    base64_decode

(up to you to check the base64 decoding routine)

One can reproduce the fault by connecting to port 25 of the server
(with the telnet client of Win2k or WinXP - not a UNIX one that will
result in a connection closed event) and sending the following query (on
a single line) :

AUTH PLAIN 
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ

Server will try to execute code at address 0x90909090 and crash.

Vulnerability is also present in the POP3 module ("AUTH PLAIN" command)
and the IMAP module ("AUTHENTICATE PLAIN" command).

Vendor Response
---------------

Vendor was contacted on October, 7th 2003.

Stefan Sigmund from atrium software international responded to my
initial query :

"We are able to duplicate the problem with POP3 and IMAP4, but not with
SMTP. All three services contain a special buffer checking feature. Very
long commands will be blocked and the connection will be closed
immediatelly. It seems that this feature works well in the SMTP part.

However, we are going to create a patch for that issue. But, we need to 
make sure that everything is working well."

Solution
--------

Upgrade to MERCUR Mailserver Version 4.2 - Service Pack 3a which is 
available since October, 20th 2003. You might also want to check the
following URLs :
http://www.atrium-software.com/mail%20server/pub/mcr42sp3a.html
http://www.atrium-software.com/download/mercur%20service%20pack.exe

Greetings
---------

Regards to HD Moore for his Vampiric Import shellcode and PEX, that
helped a _lot_ implementing the exploit for this vulnerability.
Greetings to Recca and people in #fr-opers and #fee1dead on EFnet :P

--
Kostya KORTCHINSKY
CERT RENATER
kostya.kortchinsky@...ater.fr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ