[ACSSEC-2005-11-27-0x2] Remote Overflows in Mailenable = Enterprise 1.1 / Professional 1.7

This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C60547.C43AA574 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Re: See-Security Research and Development "A remote buffer overflow exists in MailEnable Enterprise 1.1 IMAP = EXAMINE command, which allows for post authentication code execution. This vulnerability affects Mailenable Enterprise 1.1 *without* the = ME-10009.EXE patch." -- There's a reason why the ME-10009 patch was released. You're = welcome! -=3D[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=3D- ACS Security Assessment Advisory - Buffer Overflow ID: ACSSEC-2005-11-27 - 0x2 Class: Buffer Overflow Package: MailEnable Enterprise Edition version 1.1=20 MailEnable Professional version 1.7=20 Build: Windows NT/2k/XP/2k3 Reported: Dec 01, 2005 Released: Dec 21, 2005 Remote: Yes Severity: Medium Credit: Tim Shelton -=3D[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=3D- -=3D[ Background MailEnable's mail server software provides a powerful, scalable=20 hosted messaging platform for Microsoft Windows. MailEnable=20 offers stability, unsurpassed flexibility and an extensive=20 feature set which allows you to provide cost-effective mail=20 services. -=3D[ Technical Description Multiple vulnerabilities has been identified in MailEnable,=20 which may be exploited by remote attackers to cause a denial=20 of service, or could lead to remote execution of code. This=20 issue is due to an error in the IMAP service that does not=20 properly handle specially crafted requests. -=3D[ Proof of Concepts IMAP REQUEST: '02 LIST /.:/' + Ax5000=20 IMAP REQUEST: '02 LSUB' /.:/ ('A' x 5000) request IMAP REQUEST: '02 UID FETCH /.:/' AX5000 ' FLAGS' IMAP REQUEST: '02 UID FETCH /...'x5 ' FLAGS' IMAP REQUEST: '02 UID FETCH '/\'x5000 ' Several others exist and all have been reported to the vendor. -=3D[ Solution According to Peter Fregon of MailEnable Pty. Ltd, these advisories have = been patched in the latest ME-10009 Patch. Any further questions should be directed towards the vendor. http://www.mailenable.com/hotfix/default.asp -=3D[ Credits Vulnerability originally reported by Tim Shelton -=3D[ Similar References http://www.frsirt.com/english/advisories/2005/2579 http://www.frsirt.com/english/advisories/2005/2484 -=3D[ ChangeLog 2005-11-27 : Original Advisory 2005-12-01 : Notified Vendor 2005-12-03 : Vendor Response 2005-12-21 : Full Disclosure -=3D[ Vendor Response ----------------------------------------------------------------- Sat 12/3/2005 1:41 AM Hi, Thanks for the information. We have posted a hotfix for this at the following URL: http://www.mailenable.com/hotfix We will also be updating our installation kits with this hotfix = shortly. =A0 Thanks Peter Fregon MailEnable Pty. Ltd. =A0 ------ Friday, 2 December 2005 03:02 All -=20 Below is an internal advisory notification for MailEnable Enterprise = Edition version 1.1=A0 and possibly others.=A0 Attached is our Ethical = Disclosure Policy.=A0 If you have any further questions, please do not hesitate to contact us. Thanks,=20 Tim Shelton=20 ACS Security Assessment Engineering=20 ------_=_NextPart_001_01C60547.C43AA574 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable [ACSSEC-2005-11-27-0x2] Remote Overflows in Mailenable = Enterprise 1.1 / Professional 1.7

Re: See-Security Research and Development
"A remote buffer overflow exists in MailEnable = Enterprise 1.1 IMAP EXAMINE command, which allows for post = authentication code execution. This vulnerability affects Mailenable = Enterprise 1.1 *without* the ME-10009.EXE patch."

-- There's a reason why the ME-10009 patch was = released. You're welcome!

-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++= +]=3D-
ACS Security Assessment Advisory - Buffer = Overflow

ID: = ACSSEC-2005-11-27 - 0x2

Class:    Buffer Overflow
Package: MailEnable Enterprise Edition version = 1.1
            MailEnable Professional version 1.7
Build:    Windows NT/2k/XP/2k3
Reported: Dec 01, 2005
Released: Dec 21, 2005

Remote: Yes
Severity: Medium

Credit: Tim Shelton = = <security-advisories@acs-inc.com>
-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++= +]=3D-

-=3D[ Background

MailEnable's mail server software provides a = powerful, scalable
hosted messaging platform for Microsoft Windows. = MailEnable
offers stability, unsurpassed flexibility and = an extensive
feature set which allows you to provide = cost-effective mail
services.

-=3D[ Technical Description

Multiple vulnerabilities has been identified in = MailEnable,
which may be exploited by remote attackers to cause = a denial
of service, or could lead to remote execution of = code. This
issue is due to an error in the IMAP service that = does not
properly handle specially crafted requests.

-=3D[ Proof of Concepts

IMAP REQUEST: '02 LIST /.:/' + Ax5000
IMAP REQUEST: '02 LSUB' /.:/ ('A' x 5000) = request
IMAP REQUEST: '02 UID FETCH /.:/' AX5000 ' = FLAGS'
IMAP REQUEST: '02 UID FETCH /...'x5 ' FLAGS'
IMAP REQUEST: '02 UID FETCH '/\'x5000 '

Several others exist and all have been reported to = the vendor.

-=3D[ Solution

According to Peter Fregon of MailEnable Pty. Ltd, = these advisories have been patched in the latest ME-10009 Patch. = Any further questions should be directed towards the vendor.

http://www.mailenable.com/hotfix/default.asp

-=3D[ Credits

Vulnerability originally reported by Tim = Shelton

-=3D[ Similar References

http://www.frsirt.com/english/advisories/2005/2579=
http://www.frsirt.com/english/advisories/2005/2484=

-=3D[ ChangeLog

2005-11-27 : Original Advisory
2005-12-01 : Notified Vendor
2005-12-03 : Vendor Response
2005-12-21 : Full Disclosure

-=3D[ Vendor Response
---------------------------------------------------------------= --
Sat 12/3/2005 1:41 AM

Hi,
Thanks for the information. We have posted a hotfix = for this at the following URL:
http://www.mailenable.com/hotfix
We will also be updating our installation kits with = this hotfix shortly.
=A0
Thanks
Peter Fregon
MailEnable Pty. Ltd.
=A0
------
Friday, 2 December 2005 03:02
All -
Below is an internal advisory notification for = MailEnable Enterprise Edition version 1.1=A0 and possibly others.=A0 = Attached is our Ethical Disclosure Policy.=A0 If you have any further = questions, please do not hesitate to contact us.

Thanks,
Tim Shelton
ACS Security Assessment Engineering

------_=_NextPart_001_01C60547.C43AA574--