Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: bt370.txt

MERCUR Mail server v.4.2 Multiple Buffer Overflow Vulnerabilities (SP2) - IMAP protocol





[STATUS, EXAMINE, DELETE, SUBSCRIBE, UNSUBSCRIBE, RENAME, LIST, LSUB,
LOGIN, CREATE, SELECT]
                      Multiple Buffer Overflow Vulnerabilities
                       Found in MERCUR Mail server v.4.2 (SP2)
                         http://www.atriumsoftwareusa.com/

                            Discovered by Dennis Rand
                               www.Infowarfare.dk
------------------------------------------------------------------------


-----[SUMMARY
Mercur Mail Server is a Windows NT4/2000/XP mail server application,
Supporting all the RFC industry standards set for POP3, IMAP4 and SMTP.
A versatile application that offers stability, security and scalability
designed to meet any size organization from the small business to an
enterprise business with thousands of employees or customers.
Mercur Mail Server supports an integrated anti-virus engine by Norman,
Black List or Open Relay connectivity, ODBC connectivity, remote Windows

GUI and Web administration administration access. Mercur Mail Server
is the ideal solution for any business.

The problem is multiple Buffer Overflows in the IMAP4 protocol, within
the MERCUR IMAP4-Server (v4.02.09), causing the service to shutdown.



-----[AFFECTED SYSTEMS
Vulnerable systems:
 * MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.14.0

Immune systems:
 * MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.15.0 or higher

-----[SEVERITY
High    -     An attacker is able to cause a DoS attack on the IMAP
protocol
              And the exception handler on the stack is overwritten
allowing

              A system compromise with code execution running as SYSTEM.
              The reason that this is a HIGH is the there is no need to
              login on the system to conduct this type of attack.



-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the MERCUR IMAP4-Server (v4.02.09)
When a malicious attacker sends a large amount into the EXAMINE, DELETE,
SUBSCRIBE, RENAME, UNSUBSCRIBE, LIST, LSUB, STATUS, LOGIN, CREATE, SELECT the
buffer will overflow.
Sending to many bytes into the buffer will cause the server
To reject the request and nothing will happen, this is over 8000 chars.

---------------------------- [Exploit Code] ----------------------------
     Is made but is being made public later, for auditing use only
        IMAPAuditor at product being developed by www.0x36.org
---------------------------- [Exploit Code] ----------------------------


When this attack is preformed the IMAP service is terminating, but the
rest of the services keep running. The service has to be started
manually, before working properly.


-----[DETECTION
IMAP4rev1 MDaemon 6.7.8 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
Implementation is vulnerable, experiment by following the above
transcript.


-----[WORK AROUNDS
Update to version MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.15.0 or
higher


-----[VENDOR RESPONSE
Dear Dennis,
Our programmers informed us that they have fixed the problem
and now they are testing it. I will inform you when a fix is
available, it should be soon.
Thank you for pointing out this problem to us.
Sincerely,
Alex Ribeiro


-----[DISCLOSURE TIMELINE
10/05/2003 Found the Vulnerability, and made an analysis.
13/05/2003 Reported to Vendor.
14/05/2003 Recived information from Vendor
06/06/2003 Public Disclosure.


-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@infowarfare.dk>
Dennis Rand

-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of
any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business
profits or special damages.




TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH