Multiple vulnerabilities in MailEnable Professional/Enterprise 3.13

2008.03.11
Risk: Low
Local: No
Remote: Yes
CWE: N/A

####################################################################### Luigi Auriemma Application: MailEnable Professional and Enterprise http://www.mailenable.com Versions: <= 3.13 Platforms: Windows Bugs: A] multiple post-auth buffer-overflows B] NULL pointers Exploitation: remote, versus the IMAP service Date: 07 Mar 2008 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== MailEnable is a mail server for Windows which supports various protocols like SMTP, POP3, IMAP, webmail and a HTTPMail service. ####################################################################### ======= 2) Bugs ======= -------------------------------------- A] multiple post-auth buffer-overflows -------------------------------------- The IMAP service (MEIMAPS.exe) of MailEnable is affected by some buffer-overflow vulnerabilities caused by too long parameters passed to the FETCH, EXAMINE and UNSUBSCRIBE commands allowing an attacker to execute malicious code. All the vulnerable commands require an account to be exploited. ---------------- B] NULL pointers ---------------- The IMAP service is affected also by two NULL pointer vulnerabilities exploitable through the omission of the required arguments for the SEARCH and APPEND commands, where the first can be used by unauthenticated attackers too. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/maildisable.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top