| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <003101c53a05$42d7e5e0$0100a8c0@EXPANDERSPC> Date: Tue Apr 5 18:29:04 2005 From: expanders at libero.it (expanders) Subject: MailEnable Imapd remote BoF + Exploit [x0n3-h4ck] -=[--------------------------------ADVISORY---------------------- -=[ -=[ MailEnable Enterprise & Pro remote BoF -=[ -=[ Author: Expanders [expanders@...il.com] -=[ CorryL [corryl80@...il.com] -=[ -=[ www.x0n3-h3ck.org -=[------------------------------------------------------------------------ -=[+] Application: Mail Enable Imapd ( MEIMAP.exe ) -=[+] Version: (Enterprise <= 1.04)-(Professional <= 1.54) -=[+] Vendor's URL: www.mailenable.com -=[+] Platform: Windows -=[+] Bug type: Buffer overflow -=[+] Exploitation: Remote/Local -=[-] -=[+] Author: Expanders ~ expanders[at]gmail[dot]com ~ -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Reference: www.x0n3-h4ck.org ..::[ Descriprion ]::.. MailEnable's mail server software provides a powerful, scalable hosted messaging platform for Microsoft Windows. MailEnable offers stability, unsurpassed flexibility and an extensive feature set which allows you to provide cost-effective mail services. ..::[ Bug ]::.. Imapd service is buffer overflow vulnerable at "A001 AUTHENTICATE <buffer>" command. Passing a buffer greater than 1016 bytes will overwrite ECX and EAX register allowing remote attacker to execute arbitraty code on the vulnerable server. ..::[ Proof Of Concept ]::.. A001 AUTHENTICATE "A"x1024 ..::[ Exploit ]::.. Attached or: http://www.x0n3-h4ck.org/upload/x0n3-h4ck_MailEnable_Imapd.c ..::[ Workaround ]::.. There is no workaround ..::[ Path or Fix ]::.. http://www.mailenable.com/hotfix http://www.mailenable.com/hotfix/MEIMSM-HF050404.zip ..::[ Disclousure Timeline ]::.. [02/04/2005] - Vendor notification [03/04/2005] - Vendor Response [03/04/2005] - Hotfix relased by vendor [05/04/2005] - Public disclousure -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050405/e06b3153/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: x0n3-h4ck_MailEnable_Imapd.c Type: application/octet-stream Size: 10596 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050405/e06b3153/x0n3-h4ck_MailEnable_Imapd.obj
Powered by blists - more mailing lists