May 9, 2004
Hat-Squad Advisory: Remote Heap overflow Vulnerability in MAilEnable

Product: MailEnable Messaging Services
Version: MailEnable Professional Edition v1.5 up to v1.7
Vulnerability: Remote Heap overflow in MailEnable HTTPMail
Release Date: 05/09/2004

Vendor Status:
Informed on 8 May 2004
Response on 9 May 2004

Overview:

The Professional Version of MailEnable includes an additional mail
access service called HTTPMail. HTTPMail is a mail access protocol based
on WEBDAV that allows you to access your mail from the server without
downloading the mail (as is often the case with POP). This Service
(MEHTTPS) listens on port 8080 by default.

Sending a HTTP request with more than 4045 bytes to MEHTTPS service will
cause a heap buffer overflow while logging is enable(by default), and
it's possible for a remote attacker to execute code as SYSTEM or just
simply crash the service. When Logging is disabled it requires more than
8500 bytes to cause overflow.

Sample:


1- GET /<4032xA> HTTP/1.1 (while logging is enabled)
2- <8501xA> (logging is disabled)


As a result, EAX and ECX registers will be overwritten.


Vendor response:

MailEnable has released a hotfix for this issue
(http://mailenable.com/hotfix/MEHTTPS.zip)


Credits:

Discovery: Behrang Fouladi (behrang@hat-squad.com)
Additional Research: Pejman Davarzani (pejman@hat-squad.com)

The Original advisory could be found at:
http://www.hat-squad.com/en/000071.html