what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ACSSEC-2005-11-27.txt

ACSSEC-2005-11-27.txt
Posted Dec 28, 2005
Authored by Tim Shelton

Multiple vulnerabilities has been identified in MailEnable, which may be exploited by remote attackers to cause a denial of service, or could lead to remote execution of code. This issue is due to an error in the IMAP service that does not properly handle specially crafted requests. MailEnable Enterprise Edition version 1.1 and MailEnable Professional version 1.7 are affected.

tags | advisory, remote, denial of service, vulnerability, imap
SHA-256 | 481ca76c4215db7557b60a4a2e982228271b39ec4c72acf01ed9973fc07a5a9e

ACSSEC-2005-11-27.txt

Change Mirror Download
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C60547.C43AA574
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable




Re: See-Security Research and Development
"A remote buffer overflow exists in MailEnable Enterprise 1.1 IMAP =
EXAMINE
command, which allows for post authentication code execution. This
vulnerability affects Mailenable Enterprise 1.1 *without* the =
ME-10009.EXE
patch."

-- There's a reason why the ME-10009 patch was released. You're =
welcome!


-=3D[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=3D-
ACS Security Assessment Advisory - Buffer Overflow

ID: ACSSEC-2005-11-27 - 0x2

Class: Buffer Overflow
Package: MailEnable Enterprise Edition version 1.1=20
MailEnable Professional version 1.7=20
Build: Windows NT/2k/XP/2k3
Reported: Dec 01, 2005
Released: Dec 21, 2005

Remote: Yes
Severity: Medium

Credit: Tim Shelton <security-advisories@acs-inc.com>
-=3D[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=3D-

-=3D[ Background

MailEnable's mail server software provides a powerful, scalable=20
hosted messaging platform for Microsoft Windows. MailEnable=20
offers stability, unsurpassed flexibility and an extensive=20
feature set which allows you to provide cost-effective mail=20
services.


-=3D[ Technical Description

Multiple vulnerabilities has been identified in MailEnable,=20
which may be exploited by remote attackers to cause a denial=20
of service, or could lead to remote execution of code. This=20
issue is due to an error in the IMAP service that does not=20
properly handle specially crafted requests.


-=3D[ Proof of Concepts

IMAP REQUEST: '02 LIST /.:/' + Ax5000=20
IMAP REQUEST: '02 LSUB' /.:/ ('A' x 5000) request
IMAP REQUEST: '02 UID FETCH /.:/' AX5000 ' FLAGS'
IMAP REQUEST: '02 UID FETCH /...'x5 ' FLAGS'
IMAP REQUEST: '02 UID FETCH '/\'x5000 '

Several others exist and all have been reported to the vendor.

-=3D[ Solution

According to Peter Fregon of MailEnable Pty. Ltd, these advisories have =
been
patched in the latest ME-10009 Patch. Any further questions should be
directed towards the vendor.
http://www.mailenable.com/hotfix/default.asp

-=3D[ Credits

Vulnerability originally reported by Tim Shelton

-=3D[ Similar References

http://www.frsirt.com/english/advisories/2005/2579
http://www.frsirt.com/english/advisories/2005/2484

-=3D[ ChangeLog

2005-11-27 : Original Advisory
2005-12-01 : Notified Vendor
2005-12-03 : Vendor Response
2005-12-21 : Full Disclosure




-=3D[ Vendor Response
-----------------------------------------------------------------
Sat 12/3/2005 1:41 AM

Hi,
Thanks for the information. We have posted a hotfix for this at the
following URL:
http://www.mailenable.com/hotfix
We will also be updating our installation kits with this hotfix =
shortly.
=A0
Thanks
Peter Fregon
MailEnable Pty. Ltd.
=A0
------
Friday, 2 December 2005 03:02
All -=20
Below is an internal advisory notification for MailEnable Enterprise =
Edition
version 1.1=A0 and possibly others.=A0 Attached is our Ethical =
Disclosure
Policy.=A0 If you have any further questions, please do not hesitate to
contact us.
Thanks,=20
Tim Shelton=20
ACS Security Assessment Engineering=20


------_=_NextPart_001_01C60547.C43AA574
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2657.88">
<TITLE>[ACSSEC-2005-11-27-0x2] Remote Overflows in Mailenable =
Enterprise 1.1 / Professional 1.7</TITLE>
</HEAD>
<BODY>
<BR>
<BR>
<BR>

<P><FONT SIZE=3D2>Re: See-Security Research and Development</FONT>
<BR><FONT SIZE=3D2>"A remote buffer overflow exists in MailEnable =
Enterprise 1.1 IMAP EXAMINE command, which allows for post =
authentication code execution. This vulnerability affects Mailenable =
Enterprise 1.1 *without* the ME-10009.EXE patch."</FONT></P>

<P><FONT SIZE=3D2>-- There's a reason why the ME-10009 patch was =
released. You're welcome!</FONT>
</P>
<BR>

<P><FONT =
SIZE=3D2>-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+]=3D-</FONT>
<BR><FONT SIZE=3D2>ACS Security Assessment Advisory - Buffer =
Overflow</FONT>
</P>

<P><FONT SIZE=3D2>ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
ACSSEC-2005-11-27 - 0x2</FONT>
</P>

<P><FONT SIZE=3D2>Class:&nbsp;&nbsp;&nbsp; Buffer Overflow</FONT>
<BR><FONT SIZE=3D2>Package:&nbsp; MailEnable Enterprise Edition version =
1.1 </FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
SIZE=3D2>&nbsp;&nbsp;&nbsp; MailEnable Professional version 1.7 </FONT>
<BR><FONT SIZE=3D2>Build:&nbsp;&nbsp;&nbsp; Windows NT/2k/XP/2k3</FONT>
<BR><FONT SIZE=3D2>Reported: Dec 01, 2005</FONT>
<BR><FONT SIZE=3D2>Released: Dec 21, 2005</FONT>
</P>

<P><FONT SIZE=3D2>Remote:&nbsp;&nbsp; Yes</FONT>
<BR><FONT SIZE=3D2>Severity: Medium</FONT>
</P>

<P><FONT SIZE=3D2>Credit:&nbsp;&nbsp; Tim Shelton&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
<security-advisories@acs-inc.com></FONT>
<BR><FONT =
SIZE=3D2>-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+]=3D-</FONT>
</P>

<P><FONT SIZE=3D2>-=3D[ Background</FONT>
</P>

<P><FONT SIZE=3D2>MailEnable's mail server software provides a =
powerful, scalable </FONT>
<BR><FONT SIZE=3D2>hosted messaging platform for Microsoft Windows. =
MailEnable </FONT>
<BR><FONT SIZE=3D2>offers stability, unsurpassed flexibility and =
an&nbsp; extensive </FONT>
<BR><FONT SIZE=3D2>feature set which allows you to provide =
cost-effective mail </FONT>
<BR><FONT SIZE=3D2>services.</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-=3D[ Technical Description</FONT>
</P>

<P><FONT SIZE=3D2>Multiple vulnerabilities has been identified in =
MailEnable, </FONT>
<BR><FONT SIZE=3D2>which may be exploited by remote attackers to cause =
a denial </FONT>
<BR><FONT SIZE=3D2>of service, or could lead to remote execution of =
code. This </FONT>
<BR><FONT SIZE=3D2>issue is due to an error in the IMAP service that =
does not </FONT>
<BR><FONT SIZE=3D2>properly handle specially crafted requests.</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-=3D[ Proof of Concepts</FONT>
</P>

<P><FONT SIZE=3D2>IMAP REQUEST: '02 LIST /.:/' + Ax5000 </FONT>
<BR><FONT SIZE=3D2>IMAP REQUEST: '02 LSUB' /.:/ ('A' x 5000)&nbsp; =
request</FONT>
<BR><FONT SIZE=3D2>IMAP REQUEST: '02 UID FETCH /.:/' AX5000&nbsp; ' =
FLAGS'</FONT>
<BR><FONT SIZE=3D2>IMAP REQUEST: '02 UID FETCH /...'x5 ' FLAGS'</FONT>
<BR><FONT SIZE=3D2>IMAP REQUEST: '02 UID FETCH '/\'x5000 '</FONT>
</P>

<P><FONT SIZE=3D2>Several others exist and all have been reported to =
the vendor.</FONT>
</P>

<P><FONT SIZE=3D2>-=3D[ Solution</FONT>
</P>

<P><FONT SIZE=3D2>According to Peter Fregon of MailEnable Pty. Ltd, =
these advisories have been patched in the latest ME-10009 Patch.&nbsp; =
Any further questions should be directed towards the vendor.</FONT></P>

<P><FONT SIZE=3D2><A =
HREF=3D"http://www.mailenable.com/hotfix/default.asp" =
TARGET=3D"_blank">http://www.mailenable.com/hotfix/default.asp</A></FONT=
>
</P>

<P><FONT SIZE=3D2>-=3D[ Credits</FONT>
</P>

<P><FONT SIZE=3D2>Vulnerability originally reported by Tim =
Shelton</FONT>
</P>

<P><FONT SIZE=3D2>-=3D[ Similar References</FONT>
</P>

<P><FONT SIZE=3D2><A =
HREF=3D"http://www.frsirt.com/english/advisories/2005/2579" =
TARGET=3D"_blank">http://www.frsirt.com/english/advisories/2005/2579</A>=
</FONT>
<BR><FONT SIZE=3D2><A =
HREF=3D"http://www.frsirt.com/english/advisories/2005/2484" =
TARGET=3D"_blank">http://www.frsirt.com/english/advisories/2005/2484</A>=
</FONT>
</P>

<P><FONT SIZE=3D2>-=3D[ ChangeLog</FONT>
</P>

<P><FONT SIZE=3D2>2005-11-27 : Original Advisory</FONT>
<BR><FONT SIZE=3D2>2005-12-01 : Notified Vendor</FONT>
<BR><FONT SIZE=3D2>2005-12-03 : Vendor Response</FONT>
<BR><FONT SIZE=3D2>2005-12-21 : Full Disclosure</FONT>
</P>
<BR>
<BR>
<BR>

<P><FONT SIZE=3D2>-=3D[ Vendor Response</FONT>
<BR><FONT =
SIZE=3D2>---------------------------------------------------------------=
--</FONT>
<BR><FONT SIZE=3D2>Sat 12/3/2005 1:41 AM</FONT>
</P>

<P><FONT SIZE=3D2>Hi,</FONT>
<BR><FONT SIZE=3D2>Thanks for the information. We have posted a hotfix =
for this at the following URL:</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://www.mailenable.com/hotfix" =
TARGET=3D"_blank">http://www.mailenable.com/hotfix</A></FONT>
<BR><FONT SIZE=3D2>We will also be updating our installation kits with =
this hotfix shortly.</FONT>
<BR><FONT SIZE=3D2>=A0</FONT>
<BR><FONT SIZE=3D2>Thanks</FONT>
<BR><FONT SIZE=3D2>Peter Fregon</FONT>
<BR><FONT SIZE=3D2>MailEnable Pty. Ltd.</FONT>
<BR><FONT SIZE=3D2>=A0</FONT>
<BR><FONT SIZE=3D2>------</FONT>
<BR><FONT SIZE=3D2>Friday, 2 December 2005 03:02</FONT>
<BR><FONT SIZE=3D2>All - </FONT>
<BR><FONT SIZE=3D2>Below is an internal advisory notification for =
MailEnable Enterprise Edition version 1.1=A0 and possibly others.=A0 =
Attached is our Ethical Disclosure Policy.=A0 If you have any further =
questions, please do not hesitate to contact us.</FONT></P>

<P><FONT SIZE=3D2>Thanks, </FONT>
<BR><FONT SIZE=3D2>Tim Shelton </FONT>
<BR><FONT SIZE=3D2>ACS Security Assessment Engineering </FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C60547.C43AA574--
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close