Hat-Squad Advisory - A remote heap overflow has been discovered in MailEnable Professional Edition versions 1.5 to 1.7. Sending an HTTP request with more than 4045 bytes to MEHTTPS service will cause a heap buffer overflow while logging is enabled. It is possible for a remote attacker to execute code as SYSTEM.
7fbcb105140f4b9e3648e2b0f3fc89ae526912d8e532e8cfa5260c3bf076c531
May 9, 2004
Hat-Squad Advisory: Remote Heap overflow Vulnerability in MAilEnable
Product: MailEnable Messaging Services
Version: MailEnable Professional Edition v1.5 up to v1.7
Vulnerability: Remote Heap overflow in MailEnable HTTPMail
Release Date: 05/09/2004
Vendor Status:
Informed on 8 May 2004
Response on 9 May 2004
Overview:
The Professional Version of MailEnable includes an additional mail
access service called HTTPMail. HTTPMail is a mail access protocol based
on WEBDAV that allows you to access your mail from the server without
downloading the mail (as is often the case with POP). This Service
(MEHTTPS) listens on port 8080 by default.
Sending a HTTP request with more than 4045 bytes to MEHTTPS service will
cause a heap buffer overflow while logging is enable(by default), and
it's possible for a remote attacker to execute code as SYSTEM or just
simply crash the service. When Logging is disabled it requires more than
8500 bytes to cause overflow.
Sample:
1- GET /<4032xA> HTTP/1.1 (while logging is enabled)
2- <8501xA> (logging is disabled)
As a result, EAX and ECX registers will be overwritten.
Vendor response:
MailEnable has released a hotfix for this issue
(http://mailenable.com/hotfix/MEHTTPS.zip)
Credits:
Discovery: Behrang Fouladi (behrang@hat-squad.com)
Additional Research: Pejman Davarzani (pejman@hat-squad.com)
The Original advisory could be found at:
http://www.hat-squad.com/en/000071.html