Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   MERCUR Mailserver Vendors:   Atrium Software International
MERCUR Mailserver NTLM IMAP Command Integer Signedness Bug Permits Remote Code Execution
SecurityTracker Alert ID:  1017798
SecurityTracker URL:
CVE Reference:   CVE-2007-1578   (Links to External Site)
Updated:  Mar 22 2007
Original Entry Date:  Mar 20 2007
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.00.14
Description:   A vulnerability was reported in MERCUR Mailserver. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted IMAP NTLM NTLMSSP data to trigger an integer signedness error and potentially execute arbitrary code on the target system.

A demonstration exploit denial of service script is available at:

mu-b at reported this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.

 Source Message Contents

Subject:  [Full-disclosure] Mercur SP4 IMAPD

The attached exploits several signedness bugs in the NTLM implementation
of Mercur IMAPD ( to give the attacker
complete control over a memcpy to a stack variable... (non-authenticated)
In this case, memcpy(buf, src+a, b) with 'a', and 'b' being user controlled
and buf ~7208 bytes.

note due to the most important signedness issue, we can only control 'a' within
the range -65535 < a < 65536...

The result of the PoC is an simple crash trying to copy 0xffffffff bytes...

(d94.1dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0210a108 ebx=0210ac24 ecx=3fffeb08 edx=ffffffff esi=02110000 edi=0210f4e4
eip=0042e0d3 esp=021098c8 ebp=021098d0 iopl=0         nv up ei pl nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010207
*** WARNING: Unable to verify checksum for C:\Program Files\MERCUR\mcrimap4.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\MERCUR\mcrimap4.exe -
0042e0d3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi] es:0023:0210f4e4=00000000 ds:0023:02110000=???????


  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC