Date: Fri, 6 Jun 2003 17:26:32 +0200
From: Dennis Rand <[email protected]>
To: "Vulnwatch@Vulnwatch. Org" <[email protected]>,
Subject: Multiple Buffer Overflow Vulnerabilities Found in MERCUR Mail server v.4.2 (SP2) - IMAP protocol
[STATUS, EXAMINE, DELETE, SUBSCRIBE, UNSUBSCRIBE, RENAME, LIST, LSUB, =
LOGIN,
CREATE, SELECT]
Multiple Buffer Overflow Vulnerabilities
Found in MERCUR Mail server v.4.2 (SP2)
http://www.atriumsoftwareusa.com/
=20
Discovered by Dennis Rand
www.Infowarfare.dk
------------------------------------------------------------------------
-----[SUMMARY
Mercur Mail Server is a Windows NT4/2000/XP mail server application,=20
Supporting all the RFC industry standards set for POP3, IMAP4 and SMTP.=20
A versatile application that offers stability, security and scalability=20
designed to meet any size organization from the small business to an=20
enterprise business with thousands of employees or customers.=20
Mercur Mail Server supports an integrated anti-virus engine by Norman,=20
Black List or Open Relay connectivity, ODBC connectivity, remote Windows =
GUI and Web administration administration access. Mercur Mail Server=20
is the ideal solution for any business.
The problem is multiple Buffer Overflows in the IMAP4 protocol, within =
the=20
MERCUR IMAP4-Server (v4.02.09), causing the service to shutdown.
-----[AFFECTED SYSTEMS
Vulnerable systems:
* MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.14.0
Immune systems:
* MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.15.0 or higher
-----[SEVERITY
High - An attacker is able to cause a DoS attack on the IMAP =
protocol
And the exception handler on the stack is overwritten =
allowing
A system compromise with code execution running as SYSTEM.
The reason that this is a HIGH is the there is no need to=20
login on the system to conduct this type of attack.
=20
=20
-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the MERCUR IMAP4-Server =
(v4.02.09)
When a malicious attacker sends a large amount into the EXAMINE, DELETE,
SUBSCRIBE,
RENAME, UNSUBSCRIBE, LIST, LSUB, STATUS, LOGIN, CREATE, SELECT the =
buffer
will overflow.=20
Sending to many bytes into the buffer will cause the server
To reject the request and nothing will happen, this is over 8000 chars.=20
---------------------------- [Exploit Code] ----------------------------
Is made but is being made public later, for auditing use only
IMAPAuditor at product being developed by www.0x36.org
---------------------------- [Exploit Code] ----------------------------
When this attack is preformed the IMAP service is terminating, but the =
rest
of
the services keep running.=20
The service has to be started manually, before working properly.
-----[DETECTION
IMAP4rev1 MDaemon 6.7.8 is vulnerable to the above-described attacks.=20
Earlier versions may be susceptible as well. To determine if a specific=20
Implementation is vulnerable, experiment by following the above =
transcript.=20
-----[WORK AROUNDS
Update to version MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.15.0 or
higher
-----[VENDOR RESPONSE
Dear Dennis,
Our programmers informed us that they have fixed the problem=20
and now they are testing it. I will inform you when a fix is=20
available, it should be soon.
Thank you for pointing out this problem to us.
Sincerely,
Alex Ribeiro
-----[DISCLOSURE TIMELINE
10/05/2003 Found the Vulnerability, and made an analysis.
13/05/2003 Reported to Vendor.=20
14/05/2003 Recived information from Vendor
06/06/2003 Public Disclosure.
-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <[email protected]> =
Dennis
Rand
-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of =
any
kind.=20
In no event shall we be liable for any damages whatsoever including =
direct,
indirect,=20
incidental, consequential, loss of business profits or special damages.=20
