[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3F99BA77.5040702@renater.fr>
From: kostya.kortchinsky at renater.fr (Kostya KORTCHINSKY)
Subject: Vulnerability in MERCUR Mail Server v4.2 SP3 and below
Vulnerability in MERCUR Mail Server v4.2 SP3 and below
------------------------------------------------------
To K-Otik (or any other) : the vulnerability was *not* discovered by
Qualys as stated on your site.
Summary
-------
http://www.atrium-software.com/
MERCUR Mail Server offers the necessary features to provide an efficient
and effective communications medium. These include Security features
using IP-Caching Firewall, NORMAN Virus Control Engine, check open relay
database by using DNS, Remote Configuration via a Web Browser,
Dial-Up-connectivity (Modem, ISDN-Card), dedicated connectivity
(ISDN-Router) or connectivity over the network (Router) to your ISP.
MERCUR Mail Server Version 4.2 is designed for Windows NT 4.0
Workstation and Server, Windows 2000 Professional and Server as well as
Windows XP acquire a email server all the Extras.
Vulnerability
-------------
I have found a vulnerability in MERCUR Mailserver allowing remote
command execution for an unauthenticated user and managed to write a
working exploit for it on a Windows 2000 SP4 French with MERCUR
Mailserver (v4.2 SP3 Unregistered) for Windows NT, giving remote access
to a cmd.exe with System privileges.
The vulnerability is located in the base64 decoding routine which
doesn't check the length of the supplied data and hence decodes and
writes everything it can until nothing is left. But there are cases when
the destination buffer is small enough (and on the stack) so that a
buffer overflow will give us the control of EBP and EIP, and then allow
remote code execution.
For the SMTP component, the command I used in the exploit is "AUTH PLAIN
Base64String". By carefully constructing the buffer to encode ([0x10C
DATA],[EBP],[EIP]), encoding it and sending it, we trigger the overflow
and gain control of code execution. Here is the disassembled source of
the faulty section :
CODE:00424FB8 push eax ; length of data
CODE:00424FB9 lea edx, [ebp+var_10C] ; only 0x10C
bytes above EBP !
CODE:00424FBF push edx ; destination buffer
CODE:00424FC0 push edi ; source buffer
CODE:00424FC1 call base64_decode
(up to you to check the base64 decoding routine)
One can reproduce the fault by connecting to port 25 of the server
(with the telnet client of Win2k or WinXP - not a UNIX one that will
result in a connection closed event) and sending the following query (on
a single line) :
AUTH PLAIN
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
Server will try to execute code at address 0x90909090 and crash.
Vulnerability is also present in the POP3 module ("AUTH PLAIN" command)
and the IMAP module ("AUTHENTICATE PLAIN" command).
Vendor Response
---------------
Vendor was contacted on October, 7th 2003.
Stefan Sigmund from atrium software international responded to my
initial query :
"We are able to duplicate the problem with POP3 and IMAP4, but not with
SMTP. All three services contain a special buffer checking feature. Very
long commands will be blocked and the connection will be closed
immediatelly. It seems that this feature works well in the SMTP part.
However, we are going to create a patch for that issue. But, we need to
make sure that everything is working well."
Solution
--------
Upgrade to MERCUR Mailserver Version 4.2 - Service Pack 3a which is
available since October, 20th 2003. You might also want to check the
following URLs :
http://www.atrium-software.com/mail%20server/pub/mcr42sp3a.html
http://www.atrium-software.com/download/mercur%20service%20pack.exe
Greetings
---------
Regards to HD Moore for his Vampiric Import shellcode and PEX, that
helped a _lot_ implementing the exploit for this vulnerability.
Greetings to Recca and people in #fr-opers and #fee1dead on EFnet :P
--
Kostya KORTCHINSKY
CERT RENATER
kostya.kortchinsky@...ater.fr
Powered by blists - more mailing lists