lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue Apr  5 18:29:04 2005
From: expanders at libero.it (expanders)
Subject: MailEnable Imapd remote BoF + Exploit [x0n3-h4ck]

-=[--------------------------------ADVISORY----------------------
-=[
-=[    MailEnable Enterprise & Pro remote BoF
-=[
-=[  Author: Expanders  [expanders@...il.com]
-=[              CorryL     [corryl80@...il.com]
-=[
-=[                             www.x0n3-h3ck.org
-=[------------------------------------------------------------------------


-=[+] Application:    Mail Enable Imapd ( MEIMAP.exe )
-=[+] Version:        (Enterprise <= 1.04)-(Professional <= 1.54)
-=[+] Vendor's URL:   www.mailenable.com
-=[+] Platform:       Windows
-=[+] Bug type:       Buffer overflow
-=[+] Exploitation:   Remote/Local
-=[-]
-=[+] Author:         Expanders  ~ expanders[at]gmail[dot]com ~
-=[+] Author:         CorryL     ~  corryl80[at]gmail[dot]com ~
-=[+] Reference:      www.x0n3-h4ck.org


..::[ Descriprion ]::..

MailEnable's mail server software provides a powerful, 
scalable hosted messaging platform for Microsoft Windows. 
MailEnable offers stability, unsurpassed flexibility and 
an extensive feature set which allows you to provide
cost-effective mail services.


..::[ Bug ]::..

Imapd service is buffer overflow vulnerable at "A001 AUTHENTICATE <buffer>" command.
Passing a buffer greater than 1016 bytes will overwrite ECX and EAX register allowing remote 
attacker to execute arbitraty code on the vulnerable server.


..::[ Proof Of Concept ]::..

A001 AUTHENTICATE "A"x1024

..::[ Exploit ]::..

Attached or:

http://www.x0n3-h4ck.org/upload/x0n3-h4ck_MailEnable_Imapd.c

..::[ Workaround ]::..

There is no workaround

..::[ Path or Fix ]::..

http://www.mailenable.com/hotfix
http://www.mailenable.com/hotfix/MEIMSM-HF050404.zip


..::[ Disclousure Timeline ]::..

[02/04/2005] - Vendor notification
[03/04/2005] - Vendor Response
[03/04/2005] - Hotfix relased by vendor
[05/04/2005] - Public disclousure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050405/e06b3153/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: x0n3-h4ck_MailEnable_Imapd.c
Type: application/octet-stream
Size: 10596 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050405/e06b3153/x0n3-h4ck_MailEnable_Imapd.obj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ