lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 6 Jun 2003 17:26:32 +0200
From: "Dennis Rand" <der@...owarfare.dk>
To: "Vulnwatch@...nwatch. Org" <vulnwatch@...nwatch.org>,
	"Bugs@...uritytracker. Com" <bugs@...uritytracker.com>,
	<bugtraq@...urityfocus.com>,
	"News@...uriteam. Com" <news@...uriteam.com>,
	"Vuln@...unia. Dk" <vuln@...unia.dk>
Subject: Multiple Buffer Overflow Vulnerabilities Found in MERCUR Mail server v.4.2 (SP2) - IMAP protocol


[STATUS, EXAMINE, DELETE, SUBSCRIBE, UNSUBSCRIBE, RENAME, LIST, LSUB, LOGIN,
CREATE, SELECT]
                      Multiple Buffer Overflow Vulnerabilities
                       Found in MERCUR Mail server v.4.2 (SP2)
                         http://www.atriumsoftwareusa.com/
                         
                            Discovered by Dennis Rand
                               www.Infowarfare.dk
------------------------------------------------------------------------


-----[SUMMARY
Mercur Mail Server is a Windows NT4/2000/XP mail server application, 
Supporting all the RFC industry standards set for POP3, IMAP4 and SMTP. 
A versatile application that offers stability, security and scalability 
designed to meet any size organization from the small business to an 
enterprise business with thousands of employees or customers. 
Mercur Mail Server supports an integrated anti-virus engine by Norman, 
Black List or Open Relay connectivity, ODBC connectivity, remote Windows 
GUI and Web administration administration access. Mercur Mail Server 
is the ideal solution for any business.

The problem is multiple Buffer Overflows in the IMAP4 protocol, within the 
MERCUR IMAP4-Server (v4.02.09), causing the service to shutdown.



-----[AFFECTED SYSTEMS
Vulnerable systems:
 * MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.14.0

Immune systems:
 * MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.15.0 or higher

-----[SEVERITY
High    -     An attacker is able to cause a DoS attack on the IMAP protocol
              And the exception handler on the stack is overwritten allowing

              A system compromise with code execution running as SYSTEM.
              The reason that this is a HIGH is the there is no need to 
              login on the system to conduct this type of attack.
              
         

-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the MERCUR IMAP4-Server (v4.02.09)
When a malicious attacker sends a large amount into the EXAMINE, DELETE,
SUBSCRIBE,
RENAME, UNSUBSCRIBE, LIST, LSUB, STATUS, LOGIN, CREATE, SELECT the buffer
will overflow. 
Sending to many bytes into the buffer will cause the server
To reject the request and nothing will happen, this is over 8000 chars. 

---------------------------- [Exploit Code] ----------------------------
     Is made but is being made public later, for auditing use only
        IMAPAuditor at product being developed by www.0x36.org
---------------------------- [Exploit Code] ----------------------------


When this attack is preformed the IMAP service is terminating, but the rest
of
the services keep running. 
The service has to be started manually, before working properly.


-----[DETECTION
IMAP4rev1 MDaemon 6.7.8 is vulnerable to the above-described attacks. 
Earlier versions may be susceptible as well. To determine if a specific 
Implementation is vulnerable, experiment by following the above transcript. 


-----[WORK AROUNDS
Update to version MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.15.0 or
higher


-----[VENDOR RESPONSE
Dear Dennis,
Our programmers informed us that they have fixed the problem 
and now they are testing it. I will inform you when a fix is 
available, it should be soon.
Thank you for pointing out this problem to us.
Sincerely,
Alex Ribeiro


-----[DISCLOSURE TIMELINE
10/05/2003 Found the Vulnerability, and made an analysis.
13/05/2003 Reported to Vendor. 
14/05/2003 Recived information from Vendor
06/06/2003 Public Disclosure.


-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@...owarfare.dk> Dennis
Rand

-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of any
kind. 
In no event shall we be liable for any damages whatsoever including direct,
indirect, 
incidental, consequential, loss of business profits or special damages.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ