Re: See-Security Research and Development
"A remote buffer overflow exists in MailEnable Enterprise 1.1 IMAP EXAMINE command, which allows for post authentication code execution. This vulnerability affects Mailenable Enterprise 1.1 *without* the ME-10009.EXE patch."
-- There's a reason why the ME-10009 patch was released. You're welcome!
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
ACS Security Assessment Advisory - Buffer Overflow
ID: ACSSEC-2005-11-27 - 0x2
Class: Buffer Overflow
Package: MailEnable Enterprise Edition version 1.1
MailEnable Professional version 1.7
Build: Windows NT/2k/XP/2k3
Reported: Dec 01, 2005
Released: Dec 21, 2005
Remote: Yes
Severity: Medium
Credit: Tim Shelton <[EMAIL PROTECTED]>
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
-=[ Background
MailEnable's mail server software provides a powerful, scalable
hosted messaging platform for Microsoft Windows. MailEnable
offers stability, unsurpassed flexibility and an extensive
feature set which allows you to provide cost-effective mail
services.
-=[ Technical Description
Multiple vulnerabilities has been identified in MailEnable,
which may be exploited by remote attackers to cause a denial
of service, or could lead to remote execution of code. This
issue is due to an error in the IMAP service that does not
properly handle specially crafted requests.
-=[ Proof of Concepts
IMAP REQUEST: '02 LIST /.:/' + Ax5000
IMAP REQUEST: '02 LSUB' /.:/ ('A' x 5000) request
IMAP REQUEST: '02 UID FETCH /.:/' AX5000 ' FLAGS'
IMAP REQUEST: '02 UID FETCH /...'x5 ' FLAGS'
IMAP REQUEST: '02 UID FETCH '/\'x5000 '
Several others exist and all have been reported to the vendor.
-=[ Solution
According to Peter Fregon of MailEnable Pty. Ltd, these advisories have been patched in the latest ME-10009 Patch. Any further questions should be directed towards the vendor.
http://www.mailenable.com/hotfix/default.asp
-=[ Credits
Vulnerability originally reported by Tim Shelton
-=[ Similar References
http://www.frsirt.com/english/advisories/2005/2579
http://www.frsirt.com/english/advisories/2005/2484
-=[ ChangeLog
2005-11-27 : Original Advisory
2005-12-01 : Notified Vendor
2005-12-03 : Vendor Response
2005-12-21 : Full Disclosure
-=[ Vendor Response
-----------------------------------------------------------------
Sat 12/3/2005 1:41 AM
Hi,
Thanks for the information. We have posted a hotfix for this at the following URL:
http://www.mailenable.com/hotfix
We will also be updating our installation kits with this hotfix shortly.
Thanks
Peter Fregon
MailEnable Pty. Ltd.
------
Friday, 2 December 2005 03:02
All -
Below is an internal advisory notification for MailEnable Enterprise Edition version 1.1 and possibly others. Attached is our Ethical Disclosure Policy. If you have any further questions, please do not hesitate to contact us.
Thanks,
Tim Shelton
ACS Security Assessment Engineering
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
