[Full-disclosure] MailEnable Imapd remote BoF + Exploit [x0n3-h4ck]

expanders expanders at libero.it
Tue Apr 5 18:31:09 BST 2005 

-=[--------------------------------ADVISORY----------------------
-=[
-=[    MailEnable Enterprise & Pro remote BoF
-=[
-=[  Author: Expanders  [expanders at gmail.com]
-=[              CorryL     [corryl80 at gmail.com]
-=[
-=[                             www.x0n3-h3ck.org
-=[------------------------------------------------------------------------


-=[+] Application:    Mail Enable Imapd ( MEIMAP.exe )
-=[+] Version:        (Enterprise <= 1.04)-(Professional <= 1.54)
-=[+] Vendor's URL:   www.mailenable.com
-=[+] Platform:       Windows
-=[+] Bug type:       Buffer overflow
-=[+] Exploitation:   Remote/Local
-=[-]
-=[+] Author:         Expanders  ~ expanders[at]gmail[dot]com ~
-=[+] Author:         CorryL     ~  corryl80[at]gmail[dot]com ~
-=[+] Reference:      www.x0n3-h4ck.org


..::[ Descriprion ]::..

MailEnable's mail server software provides a powerful, 
scalable hosted messaging platform for Microsoft Windows. 
MailEnable offers stability, unsurpassed flexibility and 
an extensive feature set which allows you to provide
cost-effective mail services.


..::[ Bug ]::..

Imapd service is buffer overflow vulnerable at "A001 AUTHENTICATE <buffer>" command.
Passing a buffer greater than 1016 bytes will overwrite ECX and EAX register allowing remote 
attacker to execute arbitraty code on the vulnerable server.


..::[ Proof Of Concept ]::..

A001 AUTHENTICATE "A"x1024

..::[ Exploit ]::..

Attached or:

http://www.x0n3-h4ck.org/upload/x0n3-h4ck_MailEnable_Imapd.c

..::[ Workaround ]::..

There is no workaround

..::[ Path or Fix ]::..

http://www.mailenable.com/hotfix
http://www.mailenable.com/hotfix/MEIMSM-HF050404.zip


..::[ Disclousure Timeline ]::..

[02/04/2005] - Vendor notification
[03/04/2005] - Vendor Response
[03/04/2005] - Hotfix relased by vendor
[05/04/2005] - Public disclousure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050405/e06b3153/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: x0n3-h4ck_MailEnable_Imapd.c
Type: application/octet-stream
Size: 10596 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050405/e06b3153/attachment.obj

Full-Disclosure is hosted and sponsored by Secunia.