Mercury Mail Transport System IMAPD SEARCH Buffer Overflow

lsaplai

posted Sep 25 '07 at 9:22 am

Hello all

This was also reported tonight on SANS's weekly Consensus Security Vulnerability Alert (Vol. 6 No. 39) and rated Moderate:

(7) MODERATE: Pegasus Mercury/32 IMAP Server SEARCH Command Buffer
Overflow
Affected;
Pegasus Mercury/32 version 4.52 and prior

Description: Pegasus Mercury/32 IMAP is a popular IMAP server for
Microsoft Windows. The server fails to properly handle overlong IMAP
SEARCH commands. A specially crafted IMAP SEARCH command could trigger
a buffer overflow and allow an authenticated user to execute arbitrary
code with the privileges of the vulnerable process (often SYSTEM). A
proof-of-concept for this vulnerability is publicly available. Note that
an attacker would need valid login credentials to exploit this
vulnerability.

Status: Vendor has not confirmed, no updates available.

References:
Proof-of-Concept
http://downloads.securityfocus.com/vulnerabilities/exploits/25733.pl
Wikipedia Article on IMAP
http://en.wikipedia.org/wiki/IMAP
Vendor Home Page
http://www.pmail.com/
SecurityFocus BID
http://www.securityfocus.com/bid/25733

Note that it is listed upfront in the newsletter as MErcury is considered a widely deployed software (a bit of vanity doesn't hurt [;)] ) As you can see, there seem to be a proff of concept out there. I cannot verify myself as I currently have no working installation of Mercury.

The SANS institue can be contacted from their website at www.sans.org.

Cheers!

Hello all This was also reported tonight on SANS's weekly Consensus Security Vulnerability Alert (Vol. 6 No. 39) and rated Moderate: <BLOCKQUOTE>(7) MODERATE: Pegasus Mercury/32 IMAP Server SEARCH Command Buffer Overflow Affected; Pegasus Mercury/32 version 4.52 and prior Description: Pegasus Mercury/32 IMAP is a popular IMAP server for Microsoft Windows. The server fails to properly handle overlong IMAP SEARCH commands. A specially crafted IMAP SEARCH command could trigger a buffer overflow and allow an authenticated user to execute arbitrary code with the privileges of the vulnerable process (often SYSTEM). A proof-of-concept for this vulnerability is publicly available. Note that an attacker would need valid login credentials to exploit this vulnerability. Status: Vendor has not confirmed, no updates available. References: Proof-of-Concept http://downloads.securityfocus.com/vulnerabilities/exploits/25733.pl Wikipedia Article on IMAP http://en.wikipedia.org/wiki/IMAP Vendor Home Page http://www.pmail.com/ SecurityFocus BID http://www.securityfocus.com/bid/25733 </BLOCKQUOTE>Note that it is listed upfront in the newsletter as MErcury is considered a widely deployed software (a bit of vanity doesn't hurt [;)] ) As you can see, there seem to be a proff of concept out there. I cannot verify myself as I currently have no working installation of Mercury. The SANS institue can be contacted from their website at www.sans.org. Cheers!

HellasGuy

posted Sep 20 '07 at 11:36 pm

Crosspost from the Merc-List:

----------------------------------------------------------------------

TITLE:
Mercury Mail Transport System IMAPD SEARCH Buffer Overflow

SECUNIA ADVISORY ID:
SA26878

VERIFY ADVISORY:
http://secunia.com/advisories/26878/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Mercury Mail Transport System 4.x
http://secunia.com/product/4348/

DESCRIPTION:
void has discovered a vulnerability in Mercury Mail Transport System,
which can be exploited by malicious users to compromise a vulnerable
system.

The vulnerability is caused due to a boundary error within the IMAPD
module when processing the IMAP SEARCH command. This can be exploited
to cause a stack-based buffer overflow via an overly long argument
(over 60 bytes) passed to the affected command.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 4.52. Other versions may
also be affected.

SOLUTION:
Restrict access to trusted users only.

PROVIDED AND/OR DISCOVERED BY:
void, ph4nt0m.org

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/4429

Crosspost from the Merc-List:&nbsp;&nbsp;<div class="moz-text-plain" wrap="true" graphical-quote="true" style="font-family: -moz-fixed; font-size: 12px;" lang="x-western"><pre wrap="">---------------------------------------------------------------------- TITLE: Mercury Mail Transport System IMAPD SEARCH Buffer Overflow SECUNIA ADVISORY ID: SA26878 VERIFY ADVISORY: <a href="http://secunia.com/advisories/26878/" class="moz-txt-link-freetext">http://secunia.com/advisories/26878/</a> CRITICAL: Moderately critical IMPACT: System access WHERE: From remote SOFTWARE: Mercury Mail Transport System 4.x <a href="http://secunia.com/product/4348/" class="moz-txt-link-freetext">http://secunia.com/product/4348/</a> DESCRIPTION: void has discovered a vulnerability in Mercury Mail Transport System, which can be exploited by malicious users to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the IMAPD module when processing the IMAP SEARCH command. This can be exploited to cause a stack-based buffer overflow via an overly long argument (over 60 bytes) passed to the affected command. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 4.52. Other versions may also be affected. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: void, ph4nt0m.org ORIGINAL ADVISORY: <a href="http://milw0rm.com/exploits/4429" class="moz-txt-link-freetext">http://milw0rm.com/exploits/4429</a> </pre></div>

PiS

posted Sep 24 '07 at 10:40 am

Davids reply:

It's a bit of a stretch calling this an "exploit", because it can only be performed if the hacker has a valid login to the server and is already authenticated.

I'd call it more of a bug than an exploit, and will fix it for v4.53.

Cheers!

-- David --

// v4.53 is currently in beta phase 1. //

Davids reply: It's a bit of a stretch calling this an "exploit", because it can only be performed if the hacker has a valid login to the server and is already authenticated. I'd call it more of a bug than an exploit, and will fix it for v4.53. Cheers! -- David -- // v4.53 is currently in beta phase 1. //

Related Topics

Pending draft

Confirm move posts

Insufficient permissions

Select a different topic

Edit history