lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <460015B1.8000106@digit-labs.org>
Date: Tue, 20 Mar 2007 17:11:13 +0000
From: mu-b <mu-b@...it-labs.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Mercur SP4 IMAPD

The attached exploits several signedness bugs in the NTLM implementation
of Mercur IMAPD (www.atrium-software.com) to give the attacker
complete control over a memcpy to a stack variable... (non-authenticated)
In this case, memcpy(buf, src+a, b) with 'a', and 'b' being user controlled
and buf ~7208 bytes.

note due to the most important signedness issue, we can only control 'a' within
the range -65535 < a < 65536...

The result of the PoC is an simple crash trying to copy 0xffffffff bytes...

(d94.1dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0210a108 ebx=0210ac24 ecx=3fffeb08 edx=ffffffff esi=02110000 edi=0210f4e4
eip=0042e0d3 esp=021098c8 ebp=021098d0 iopl=0         nv up ei pl nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010207
*** WARNING: Unable to verify checksum for C:\Program Files\MERCUR\mcrimap4.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MERCUR\mcrimap4.exe -
mcrimap4!_GetExceptDLLinfo+0x2d05f:
0042e0d3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi] es:0023:0210f4e4=00000000 ds:0023:02110000=???????

PoC: http://www.digit-labs.org/files/exploits/mercur-v1.pl
-- 
mu-b
(mu-b@...it-labs.org)

  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ