Author: securma massine <securma (at) morx (dot) org [email concealed]>
MorX Security Research Team
Product info :
EXchangepop3 is an email gateway (connector) that retrieves messages from
Internet POP3 email accounts and delivers them to Exchange Server.
eXchangepop3 is vulnerable to buffer overflow attack.
boundary errors in the handling of the RCPT TO (smtp) commands by sending a
large buffer, allow remote users to set a new Instruction Pointer to execute
arbitrary code and gain access on system.
C:>nc 127.0.0.1 25
220 aaa ESMTP
we have :
eax=00000001 ebx=007334e0 ecx=41414141 edx=7c91eb94 esi=00455a38
eip=41414141 esp=0221f750 ebp=00000001 iopl=0 nv up ei pl nz ac po
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
41414141 ?? ???
Exchangepop3 v 5.0 (build 050203)
Exploit/Proof of Concept:
The vendor has released a new build fixing the problem :
The build number is 060125.
14/01/2006 initial vendor contact
16/01/2006 vendor received details about the vulnerabilty
02/02/2006 vendor released the fixed build
this entire document is for eductional, testing and demonstrating purpose
Greets to undisputed and all MorX members.