SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   MailEnable Vendors:   MailEnable Pty. Ltd.
MailEnable Buffer Overflow in HTTPMail Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010107
SecurityTracker URL:  http://securitytracker.com/id/1010107
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 10 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.5 - 1.7
Description:   Hat-Squad Security Team reported a heap overflow vulnerability in MailEnable in the HTTPMail component. A remote user can execute arbitrary code on the target system.

It is reported that a remote user can send a specially crafted HTTP request that contains more than 4045 bytes to the MEHTTPS service (on port 8080 by default) to trigger a buffer overflow. A remote user can cause the service to crash or execute arbitrary code with SYSTEM level privileges.

The report indicats that the request must contain more than 8500 bytes to trigger the overflow when logging is disabled.

Some demonstration exploit requests are provided:

GET /<4032xA> HTTP/1.1 (while logging is enabled)

GET /<8501xA> (logging is disabled)

The vendor was reportedly notified on May 8, 2004.

The report credits Behrang Fouladi with discovering the flaw and Pejman Davarzani with performing additional research.

The original advisory is available at:

http://www.hat-squad.com/en/000071.html

Impact:   A remote user can cause the HTTPMail service to crash or execute arbitrary code with SYSTEM privileges.
Solution:   The vendor has issued a fix:

http://mailenable.com/hotfix/MEHTTPS.zip

Vendor URL:  www.mailenable.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Remote Heap overflow Vulnerability in MAilEnable



May 9, 2004
Hat-Squad Advisory: Remote Heap overflow Vulnerability in MAilEnable

Product: MailEnable Messaging Services
Version: MailEnable Professional Edition v1.5 up to v1.7
Vulnerability: Remote Heap overflow in MailEnable HTTPMail
Release Date: 05/09/2004

Vendor Status:
Informed on 8 May 2004
Response on 9 May 2004

Overview:

The Professional Version of MailEnable includes an additional mail
access service called HTTPMail. HTTPMail is a mail access protocol based
on WEBDAV that allows you to access your mail from the server without
downloading the mail (as is often the case with POP). This Service
(MEHTTPS) listens on port 8080 by default.

Sending a HTTP request with more than 4045 bytes to MEHTTPS service will
cause a heap buffer overflow while logging is enable(by default), and
it's possible for a remote attacker to execute code as SYSTEM or just
simply crash the service. When Logging is disabled it requires more than
8500 bytes to cause overflow.

Sample:


1- GET /<4032xA> HTTP/1.1 (while logging is enabled)
2- <8501xA> (logging is disabled)


As a result, EAX and ECX registers will be overwritten.


Vendor response:

MailEnable has released a hotfix for this issue
(http://mailenable.com/hotfix/MEHTTPS.zip)


Credits:

Discovery: Behrang Fouladi (behrang@hat-squad.com)
Additional Research: Pejman Davarzani (pejman@hat-squad.com)

The Original advisory could be found at:
http://www.hat-squad.com/en/000071.html




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC