eXchange POP3 Server Buffer Overflow in SMTP RCPT TO Command Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1015580|
SecurityTracker URL: http://securitytracker.com/id/1015580
(Links to External Site)
Date: Feb 3 2006
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 5.0 (build 050203)|
securma massine from MorX Security Research Team reported a vulnerability in eXchange POP3. A remote user can execute arbitrary code on the target system.|
A remote user can connect to the target SMTP service and send a specially crafted SMTP RCPT TO command parameter to trigger a buffer overflow. This can be exploited to execute arbitrary code on the target system.
A demonstration exploit command is provided:
The vendor was notified on January 16, 2006.
A demonstration exploit is available at:
A remote user can execute arbitrary code on the target system.|
The vendor has issued a fixed version (5.0 build 060125), available at:|
Vendor URL: www.exchangepop3.com/ (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Exchangepop3 v5 rcpt buffer overflow vulnerability|
Author: securma massine <firstname.lastname@example.org>
MorX Security Research Team
Product info :
EXchangepop3 is an email gateway (connector) that retrieves messages from Internet POP3
email accounts and delivers them to Exchange Server.
eXchangepop3 is vulnerable to buffer overflow attack.
boundary errors in the handling of the RCPT TO (smtp) commands by sending a large
buffer, allow remote users to set a new Instruction Pointer to execute arbitrary code
and gain access on system.
C:\>nc 127.0.0.1 25
220 aaa ESMTP
we have :
eax=00000001 ebx=007334e0 ecx=41414141 edx=7c91eb94 esi=00455a38 edi=0f010001
eip=41414141 esp=0221f750 ebp=00000001 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
41414141 ?? ???
Exchangepop3 v 5.0 (build 050203)
Exploit/Proof of Concept:
The vendor has released a new build fixing the problem :
The build number is 060125.
14/01/2006 initial vendor contact
16/01/2006 vendor received details about the vulnerabilty
02/02/2006 vendor released the fixed build
this entire document is for eductional, testing and demonstrating purpose only.
Greets to undisputed and all MorX members.