MailEnable IMAP mailbox name buffer overflow

mailenable-imap-mailbox-bo (23110) The risk level is classified as HighHigh Risk

Description:

MailEnable is vulnerable to a stack-based buffer overflow, caused by improper bounds checking of mailbox names in the IMAP service. By sending an overly long mailbox name using either the select, create, delete, rename, subscribe, or unsubscribe command, a remote attacker with valid email authentication credentials could overflow a buffer and execute arbitrary code on the system with elevated privileges.

Platforms Affected:

  • MailEnable, MailEnable Enterprise Edition 1.x
  • MailEnable, MailEnable Professional Edition 1.x
  • Microsoft, Windows 2000 Professional
  • Microsoft, Windows 2000 Advanced Server
  • Microsoft, Windows 2003 Server Web
  • Microsoft, Windows 2003 Server Standard
  • Microsoft, Windows 2003 Server Enterprise
  • Microsoft, Windows NT 4.0 Server

Remedy:

Apply Hotfix ME-10008 dated November 18, 2005, available from the MailEnable Hotfix Download Web page. See References.

Consequences:

Gain Access

References:

  • MailEnable Hotfix Download Web page, MailEnable - Hotfix Download Page at http://www.mailenable.com/hotfix/.
  • BID-15492: MailEnable IMAP Mailbox Name Buffer Overflow Vulnerability
  • CVE-2005-3690: Stack-based buffer overflow in the IMAP service (meimaps.exe) of MailEnable Professional 1.6 and earlier and Enterprise 1.1 and earlier allows remote attackers to execute arbitrary code via a long mailbox name in the (1) select, (2) create, (3) delete, (4) rename, (5) subscribe, or (6) unsubscribe commands.
  • FrSIRT/ADV-2005-2484: MailEnable Buffer Overflow and Directory Traversal Vulnerabilities
  • OSVDB ID: 20929: MailEnable IMAP Service (MEIMAPS.EXE) Multiple Command Remote Overflow
  • SA17633: MailEnable Buffer Overflow and Directory Traversal Vulnerabilities
  • SECTRACK ID: 1015239: MailEnable Bugs Let Remote Authenticated Users Execute Arbitrary Code and Create/Delete Directories on the Target System.

Reported:

Nov 18, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page