-=[--------------------------------ADVISORY---------------------- -=[ -=[ MailEnable Enterprise & Pro remote BoF -=[ -=[ Author: Expanders [expanders@gmail.com] -=[ CorryL [corryl80@gmail.com] -=[ -=[ www.x0n3-h3ck.org -=[------------------------------------------------------------------------ -=[+] Application: Mail Enable Imapd ( MEIMAP.exe ) -=[+] Version: (Enterprise <= 1.04)-(Professional <= 1.54) -=[+] Vendor's URL: www.mailenable.com -=[+] Platform: Windows -=[+] Bug type: Buffer overflow -=[+] Exploitation: Remote/Local -=[-] -=[+] Author: Expanders ~ expanders[at]gmail[dot]com ~ -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Reference: www.x0n3-h4ck.org ..::[ Descriprion ]::.. MailEnable's mail server software provides a powerful, scalable hosted messaging platform for Microsoft Windows. MailEnable offers stability, unsurpassed flexibility and an extensive feature set which allows you to provide cost-effective mail services. ..::[ Bug ]::.. Imapd service is buffer overflow vulnerable at "A001 AUTHENTICATE " command. Passing a buffer greater than 1016 bytes will overwrite ECX and EAX register allowing remote attacker to execute arbitraty code on the vulnerable server. ..::[ Proof Of Concept ]::.. A001 AUTHENTICATE "A"x1024 ..::[ Exploit ]::.. Attached or: http://www.x0n3-h4ck.org/upload/x0n3-h4ck_MailEnable_Imapd.c ..::[ Workaround ]::.. There is no workaround ..::[ Path or Fix ]::.. http://www.mailenable.com/hotfix http://www.mailenable.com/hotfix/MEIMSM-HF050404.zip ..::[ Disclousure Timeline ]::.. [02/04/2005] - Vendor notification [03/04/2005] - Vendor Response [03/04/2005] - Hotfix relased by vendor [05/04/2005] - Public disclousure