[STATUS, EXAMINE, DELETE, SUBSCRIBE, UNSUBSCRIBE, RENAME, LIST, LSUB, LOGIN, CREATE, SELECT] Multiple Buffer Overflow Vulnerabilities Found in MERCUR Mail server v.4.2 (SP2) http://www.atriumsoftwareusa.com/ Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY Mercur Mail Server is a Windows NT4/2000/XP mail server application, Supporting all the RFC industry standards set for POP3, IMAP4 and SMTP. A versatile application that offers stability, security and scalability designed to meet any size organization from the small business to an enterprise business with thousands of employees or customers. Mercur Mail Server supports an integrated anti-virus engine by Norman, Black List or Open Relay connectivity, ODBC connectivity, remote Windows GUI and Web administration administration access. Mercur Mail Server is the ideal solution for any business. The problem is multiple Buffer Overflows in the IMAP4 protocol, within the MERCUR IMAP4-Server (v4.02.09), causing the service to shutdown. -----[AFFECTED SYSTEMS Vulnerable systems: * MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.14.0 Immune systems: * MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.15.0 or higher -----[SEVERITY High - An attacker is able to cause a DoS attack on the IMAP protocol And the exception handler on the stack is overwritten allowing A system compromise with code execution running as SYSTEM. The reason that this is a HIGH is the there is no need to login on the system to conduct this type of attack. -----[DESCRIPTION OF WHAT THE VULNERABILITY IS The Vulnerability is a Buffer Overflow in the MERCUR IMAP4-Server (v4.02.09) When a malicious attacker sends a large amount into the EXAMINE, DELETE, SUBSCRIBE, RENAME, UNSUBSCRIBE, LIST, LSUB, STATUS, LOGIN, CREATE, SELECT the buffer will overflow. Sending to many bytes into the buffer will cause the server To reject the request and nothing will happen, this is over 8000 chars. When this attack is preformed the IMAP service is terminating, but the rest of the services keep running. The service has to be started manually, before working properly. -----[DETECTION MERCUR IMAP4-Server (v4.02.09) is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific Implementation is vulnerable, experiment by following the above transcript. -----[WORK AROUNDS Update to version MERCUR Mailserver 4.2 (SP2)- Fileversion : 4.2.15.0 or higher -----[VENDOR RESPONSE Dear Dennis, Our programmers informed us that they have fixed the problem and now they are testing it. I will inform you when a fix is available, it should be soon. Thank you for pointing out this problem to us. Sincerely, Alex Ribeiro -----[DISCLOSURE TIMELINE 10/05/2003 Found the Vulnerability, and made an analysis. 13/05/2003 Reported to Vendor. 14/05/2003 Recived information from Vendor 06/06/2003 Public Disclosure. -----[ADDITIONAL INFORMATION The vulnerability was discovered and reported by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.