SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   MailEnable Vendors:   MailEnable Pty. Ltd.
MailEnable Buffer Overflows in FETCH, EXAMINE, and UNSUBSCRIBE Commands Let Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019565
SecurityTracker URL:  http://securitytracker.com/id/1019565
CVE Reference:   CVE-2008-1276, CVE-2008-1277   (Links to External Site)
Updated:  Mar 19 2008
Original Entry Date:  Mar 7 2008
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.13 and prior version
Description:   Several vulnerabilities were reported in MailEnable. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can send specially crafted IMAP command values to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service (MEIMAPS.exe).

The IMAP FETCH, EXAMINE, and UNSUBSCRIBE commands are affected.

A remote user can trigger a null pointer bug by sending specially crafted IMAP SEARCH and APPEND commands to cause the target service to crash.

Some demonstration exploit code is available at:

http://aluigi.org/poc/maildisable.zip

Luigi Auriemma reported this vulnerability.

Impact:   A remote authenticated user can execute arbitrary code on the target system.

A remote user can cause denial of service conditions on the target service.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mailenable.com/ (Links to External Site)
Cause:   Boundary error, State error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Multiple vulnerabilities in MailEnable Professional/Enterprise 3.13


#######################################################################

                             Luigi Auriemma

Application:  MailEnable Professional and Enterprise
              http://www.mailenable.com
Versions:     <= 3.13
Platforms:    Windows
Bugs:         A] multiple post-auth buffer-overflows
              B] NULL pointers
Exploitation: remote, versus the IMAP service
Date:         07 Mar 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


MailEnable is a mail server for Windows which supports various
protocols like SMTP, POP3, IMAP, webmail and a HTTPMail service.


#######################################################################

=======
2) Bugs
=======

--------------------------------------
A] multiple post-auth buffer-overflows
--------------------------------------

The IMAP service (MEIMAPS.exe) of MailEnable is affected by some
buffer-overflow vulnerabilities caused by too long parameters passed
to the FETCH, EXAMINE and UNSUBSCRIBE commands allowing an attacker to
execute malicious code.

All the vulnerable commands require an account to be exploited.


----------------
B] NULL pointers
----------------

The IMAP service is affected also by two NULL pointer vulnerabilities
exploitable through the omission of the required arguments for the
SEARCH and APPEND commands, where the first can be used by
unauthenticated attackers too.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/maildisable.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC