MailEnable DoS POC

2007-02-16 / 2007-02-17
Credit: mu-b
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

The POC attached exploits an out of bounds memory read in the NTLM authentication routines of MailEnable Pro/Enterprise. The problem lies in the NTLM_UnPack_Type3 function of MENTLM.dll. This appears to have been silently "patched" somewhere between versions 2.351 and 2.36-7. (observe the quotes). (c34.dc0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=8146930b ebx=003a6cc8 ecx=00000040 edx=00000000 esi=8146920b edi=0146b238 eip=0109b4b3 esp=014691e4 ebp=014691ec iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 MENTLM!NTLM_UnPack_Type3+0x3019: 0109b4b3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] es:0023:0146b238=00000000 ds:0023:8146920b=???????? --------------------------------------------------------------------------- (mu-b at digit-labs.org) -------------- next part -------------- A non-text attachment was scrubbed... Name: maildisable-v5.pl Type: text/x-perl Size: 1816 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070214/847cd30d/attachment.bin


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top