MailEnable HTTPS Buffer Overflow [x0n3-h4ck]
-=[--------------------ADVISORY-------------------]=-
-=[ ]=-
-=[ MailEnable Enterprise & Pro remote BoF ]=-
-=[ ]=-
-=[ Author: CorryL www.x0n3-h4ck.org ]=-
-=[ ]=-
-=[-----------------------------------------------]=-
-=[+] Application: MailEnable HTTPMail (MEHTTPS.EXE)
-=[+] Version: (Enterprise <= 1.04)-(Professional <= 1.54)
-=[+] Vendor's URL: http://www.mailenable.com/
-=[+] Platform: Windows
-=[+] Bug type: Buffer overflow
-=[+] Exploitation: Remote/Local
-=[-]
-=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~
-=[+] Reference: www.x0n3-h4ck.org ~ irc.xoned.net #x0n3-h4ck
..::[ Descriprion ]::..
MailEnable's mail server software provides a powerful,
scalable hosted messaging platform for Microsoft Windows.
MailEnable offers stability, unsurpassed flexibility and
an extensive feature set which allows you to provide
cost-effective mail services.
..::[ Bug ]::..
This software affection from a buffer overflow on Header Field Definitions
"Authorization: ",
what it would allow to perform some arbitrary code inside the system victim
..::[ Proof Of Concept ]::..
GET / HTTP/1.0
Authorization: Ax270
..::[ Exploit ]::..
http://www.x0n3-h4ck.org/upload/x0n3-h4ck_mailenable_https.pl
..::[ Workaround ]::..
There is no workaround
..::[ Path or Fix ]::..
http://www.mailenable.com/hotfix
..::[ Disclousure Timeline ]::..
[21/04/2005] - Vendor notification
[22/04/2005] - Vendor Response
[22/04/2005] - Patch relase from vendor
[24/04/2005] - Public disclousure
CorryL
corryl80@xxxxxxxxx
www.x0n3-h4ck.org
Italian Security Team
Fax (+39) 02700520894
Tel (+39) 06452215277
irc.xoned.net #x0n3-h4ck
_________________________________
www.seekstat.it is your web stat