MailEnable Buffer Overflow in HTTPMail Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1010107|
SecurityTracker URL: http://securitytracker.com/id/1010107
(Links to External Site)
Date: May 10 2004
Denial of service via network, Execution of arbitrary code via network, Root access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 1.5 - 1.7|
Hat-Squad Security Team reported a heap overflow vulnerability in MailEnable in the HTTPMail component. A remote user can execute arbitrary code on the target system.|
It is reported that a remote user can send a specially crafted HTTP request that contains more than 4045 bytes to the MEHTTPS service (on port 8080 by default) to trigger a buffer overflow. A remote user can cause the service to crash or execute arbitrary code with SYSTEM level privileges.
The report indicats that the request must contain more than 8500 bytes to trigger the overflow when logging is disabled.
Some demonstration exploit requests are provided:
GET /<4032xA> HTTP/1.1 (while logging is enabled)
GET /<8501xA> (logging is disabled)
The vendor was reportedly notified on May 8, 2004.
The report credits Behrang Fouladi with discovering the flaw and Pejman Davarzani with performing additional research.
The original advisory is available at:
A remote user can cause the HTTPMail service to crash or execute arbitrary code with SYSTEM privileges.|
The vendor has issued a fix:|
Vendor URL: www.mailenable.com/ (Links to External Site)
|Underlying OS: Windows (NT), Windows (2000), Windows (2003), Windows (XP)|
Source Message Contents
Subject: Remote Heap overflow Vulnerability in MAilEnable|
May 9, 2004
Hat-Squad Advisory: Remote Heap overflow Vulnerability in MAilEnable
Product: MailEnable Messaging Services
Version: MailEnable Professional Edition v1.5 up to v1.7
Vulnerability: Remote Heap overflow in MailEnable HTTPMail
Release Date: 05/09/2004
Informed on 8 May 2004
Response on 9 May 2004
The Professional Version of MailEnable includes an additional mail
access service called HTTPMail. HTTPMail is a mail access protocol based
on WEBDAV that allows you to access your mail from the server without
downloading the mail (as is often the case with POP). This Service
(MEHTTPS) listens on port 8080 by default.
Sending a HTTP request with more than 4045 bytes to MEHTTPS service will
cause a heap buffer overflow while logging is enable(by default), and
it's possible for a remote attacker to execute code as SYSTEM or just
simply crash the service. When Logging is disabled it requires more than
8500 bytes to cause overflow.
1- GET /<4032xA> HTTP/1.1 (while logging is enabled)
2- <8501xA> (logging is disabled)
As a result, EAX and ECX registers will be overwritten.
MailEnable has released a hotfix for this issue
Discovery: Behrang Fouladi (firstname.lastname@example.org)
Additional Research: Pejman Davarzani (email@example.com)
The Original advisory could be found at: