exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

0x36.smartmax

0x36.smartmax
Posted May 23, 2003
Authored by Mark Litchfield, Matrix

Mailmax Version 5 has a buffer overflow condition in its IMAP4 server that can cause the service to stop responding and allows a remote attacker to overwrite the exception handler on the stack. Doing this could allow arbitrary code execution as the SYSTEM user.

tags | advisory, remote, overflow, arbitrary, code execution
SHA-256 | 77a4c3f55a95ea74b2243674c8580202f49806febff62a751e26591ada15dac5

0x36.smartmax

Change Mirror Download
    ____        ,_____   __ 
/ \ |___ / / / Buffer Overflow Vulnerability
( /\ ) / / / / __ Found in MailMax Version 5
( \/ ) \ / ,_\ \ ( ( \ \ http://www.smartmax.com
\____/ / \ |____\ \_\_/_/ matrix at 0x36.org
ooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOooOOoo


<[SUMMARY]>-------------------------------------------------------------------
This is a scalable e-mail server that supports SMTP, IMAP4 and POP3 protocols.
Its TCP/IP GUI allows server administration from any Internet connected server.
The Web Admin module allows you to define domain administrators so they can
Maintain their own accounts. It also provides anti-spamming options.

The problem is a Buffer Overflow in the IMAP4 protocol, within the
IMAP4rev1 SmartMax IMAPMax 5, causing the service to stop responding
and we can actually overwrite the exception handler on the stack allowing
a system compromise with code execution running as SYSTEM.

<[AFFECTED SYSTEMS]>----------------------------------------------------------
Vulnerable systems:
* IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.8)

Immune systems:
* IMAP4rev1 SmartMax IMAPMax 5.5

<[SEVERITY]>------------------------------------------------------------------
Medium/High - An attacker is able to cause a DoS attack on the IMAP protocol
The reason this is also a medium is that and attacker has to have
a login on the system to conduct this attack.
And we can actually overwrite the exception handler on the stack
allowing a system compromise with code execution running as SYSTEM

<[DESCRIPTION OF WHAT THE VULNERABILITY IS]>----------------------------------
The Vulnerability is a Buffer Overflow in the IMAP4rev1 SmartMax IMAPMax 5
When a malicious attacker sends a large amount into the SELECT command.
The buffer will overflow. Sending to many bytes into the buffer will cause the
server to reject the request and nothing will happend.


The following transcript demonstrates a sample exploitation of the
vulnerabilities

--------[ transcript ]-------
nc infowarfare.dk 143
* OK IMAP4rev1 SmartMax IMAPMax 5 Ready
0000 CAPABILITY
* CAPABILITY IMAP4rev1
0000 OK CAPABILITY completed
0001 LOGIN "RealUser@infowarfare.dk" "HereIsMyPassword"
0001 OK User authenticated.
0002 SELECT "aaa...[256]...aaaa"
--------[ transcript ]-------

When this attack is used there will pop-up a message box on the server, with
the text "Buffer overrun detected! - Program: <PATH>\IMAPMax.exe" at this time
the service shuts down, and has to be restarted manually, from the service
manager.


<[DETECTION]>----------------------------------------------------------------
IMAP4rev1 SmartMax IMAPMax 5 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above transcript.


<[WORK AROUNDS]>-------------------------------------------------------------
The only work around if you do not want to update your system is to disable
the IMAP service, else i would higly recommend updating to version 5.5 of
MailMAX


<[VENDOR RESPONSE]>----------------------------------------------------------
it's fixed in 5.5, to be released by May 10th.
5.5 is the update to 5.0. It is a free upgrade for owners of 5.0.
Regards,
Eric Weber


<[DISCLOSURE TIMELINE]>------------------------------------------------------
11/04/2003 Recived a mail from Mark Litchfield, about this could be vulnerable
by sending a larger buffer. So credits should also go to Mark
15/04/2003 Made an analysis and found the vulnerability
28/04/2003 Reported the vulnerability to Vendor (support-at-smartmax.com)
02/05/2003 Recived responce from Vendor
17/05/2003 Public Disclosure.


<[ADDITIONAL INFORMATION]>---------------------------------------------------
The vulnerability was discovered and reported by <Matrix at 0x36.org>


<[DISCLAIMER]>---------------------------------------------------------------
The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close