Mercury Mail Transport System AUTH CRAM-MD5 Buffer Overflow Vulnerability
BID:25357
Info
Mercury Mail Transport System AUTH CRAM-MD5 Buffer Overflow Vulnerability
| Bugtraq ID: | 25357 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-4440 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 18 2007 12:00AM |
| Updated: | May 07 2015 05:36PM |
| Credit: | eliteb0y is credited with the discovery of this issue. |
| Vulnerable: |
Pegasus Mail Mercury Mail Transport System 4.51 Pegasus Mail Mercury Mail Transport System 4.01b |
| Not Vulnerable: |
Pegasus Mail Mercury/NLM 1.49 Pegasus Mail Mercury/32 4.52 |
Discussion
Mercury Mail Transport System AUTH CRAM-MD5 Buffer Overflow Vulnerability
Mercury Mail Transport System is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks when handling AUTH CRAM-MD5 requests.
Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application. Successful exploits will compromise the computer. Failed exploit attempts will result in a denial of service.
Versions prior to Mercury/32 v4.52 and Mercury/NLM v1.49 are vulnerable.
UPDATE (August 28, 2007): Symantec has confirmed that this issue is being actively exploited in the wild.
Mercury Mail Transport System is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks when handling AUTH CRAM-MD5 requests.
Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application. Successful exploits will compromise the computer. Failed exploit attempts will result in a denial of service.
Versions prior to Mercury/32 v4.52 and Mercury/NLM v1.49 are vulnerable.
UPDATE (August 28, 2007): Symantec has confirmed that this issue is being actively exploited in the wild.
Exploit / POC
Mercury Mail Transport System AUTH CRAM-MD5 Buffer Overflow Vulnerability
The W32.Spybot.ATZN worm is known to use this vulnerability.
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following exploits are available:
The W32.Spybot.ATZN worm is known to use this vulnerability.
Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
The following exploits are available:
Solution / Fix
Mercury Mail Transport System AUTH CRAM-MD5 Buffer Overflow Vulnerability
Solution:
The vendor released updates to address this issue. Please see the references for more information.
Pegasus Mail Mercury Mail Transport System 4.51
Solution:
The vendor released updates to address this issue. Please see the references for more information.
Pegasus Mail Mercury Mail Transport System 4.51
-
Pegasi Web Server ms-401c.zip
ftp://ftp.usm.maine.edu/pegasus/mercury32/ms-401c.zip
References
Mercury Mail Transport System AUTH CRAM-MD5 Buffer Overflow Vulnerability
References:
References:
- [Full-disclosure] Mercury SMTPD Remote Preauth Stack Based Overrun (eliteb0y)
- Mercury Mail Transport System (Pegasus Mail)
- Mercury/32 v4.52 / Mercury/NLM v1.49, August 2007 (Pegasus Mail)