MailEnable Multiple Local Privilege Escalations

Published
Credit
Risk
2017.02.12
hyp3rlinx
Medium
CWE
CVE
Local
Remote
N/A
N/A
Yes
No

[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MAILENABLE-MULTIPLE-PRIVILEGE-ESCALATIONS.txt
[+] ISR: ApparitionSec



Vendor:
===================
www.mailenable.com



Products:
============
MailEnable


MailEnable provides Windows Mail Server software with features comparable to Microsoft Exchange. It provides powerful messaging services
like Exchange ActiveSync, IMAP, SMTP, POP3 and collaboration tools such as calendaring (CalDAV), contacts (CardDAV), tasks and notes.



Vulnerability Type:
===================
Local Privilege Escalation (Unquoted Service Path)



CVE Reference:
==============
N/A



Security Issue:
==================

The following MailEnable product services contain multiple local privilege escalation vectors, potentially allowing unprivileged user to
gain code execution as SYSTEM via unquoted service paths.

Reference:
https://www.mailenable.com/Standard-ReleaseNotes.txt


c:\>sc qc MELCS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MELCS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MELSC.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MailEnable List Connector
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem



c:\>sc qc MEMTAS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEMTAS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MEMTA.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MailEnable Mail Transfer Agent
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem



c:\>sc qc MEPOPS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEPOPS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MEPOPS.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MailEnable POP Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem


c:\>sc qc MEPOCS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEPOCS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MEPOC.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MailEnable Postoffice Connector
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem



c:\>sc qc MESMTPCS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MESMTPCS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Mail Enable\Bin64\MESMTPC.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MailEnable SMTP Connector
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem






Disclosure Timeline:
=====================================
Vendor Notification: January 5, 2017
Vendor Acknowledgement: January 5, 2017
Vendor Fix: January 5, 2017
February 12, 2017 : Public Disclosure



Exploit/POC:
============

1) Create EXE named 'Program.exe'


2) Inject 'Program.exe' into the path of the service. After service restart or system reboot, authorized local user can
then execute arbitrary code with elevated privileges as SYSTEM.




Network Access:
===============
Local



Severity:
=========
Medium




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.

References:

https://www.mailenable.com/Standard-ReleaseNotes.txt


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com