[Full-disclosure] Mercur SP4 IMAPD
mu-b at digit-labs.org
Tue Mar 20 17:11:13 GMT 2007
The attached exploits several signedness bugs in the NTLM implementation
of Mercur IMAPD (www.atrium-software.com) to give the attacker
complete control over a memcpy to a stack variable... (non-authenticated)
In this case, memcpy(buf, src+a, b) with 'a', and 'b' being user controlled
and buf ~7208 bytes.
note due to the most important signedness issue, we can only control 'a' within
the range -65535 < a < 65536...
The result of the PoC is an simple crash trying to copy 0xffffffff bytes...
(d94.1dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0210a108 ebx=0210ac24 ecx=3fffeb08 edx=ffffffff esi=02110000 edi=0210f4e4
eip=0042e0d3 esp=021098c8 ebp=021098d0 iopl=0 nv up ei pl nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010207
*** WARNING: Unable to verify checksum for C:\Program Files\MERCUR\mcrimap4.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\MERCUR\mcrimap4.exe -
0042e0d3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] es:0023:0210f4e4=00000000 ds:0023:02110000=???????
(mu-b at digit-labs.org)
"Only a few people will follow the proof. Whoever does will
spend the rest of his life convincing people it is correct."
- Anonymous, "P ?= NP"
Full-Disclosure is hosted and sponsored by Secunia.