TABLE OF CONTENTS Mercur Messaging is a mail server that supports the most commonly used protocols for e-mail exchange and retrieval, such as SMTP, POP3, and IMAP4. It works on all NT-based versions of Windows (Windows NT 4.0 Workstation/Server, Windows 2000 Professional/Server, Windows 2003 Server and Windows XP Professional).
Mercur Messaging 2005 is available in three different Editions: Lite, for Small Office or Small Business; Standard, for Educational Institutes or Universities; and Enterprise, for ISPs, Enterprise Businesses, and so on. The Enterprise Edition includes a complete series of features, such as Anti-Virus Gateway, Black-List Capabilities, Anti-Spamming Capabilities, and Remote Configuration. Over the years, a certain number of vulnerabilities (both remote and local) have been discovered in different software versions, including buffer overflows concerning the IMAP (www.securityfocus.com/bid/8861), POP
(www.securityfocus.com/bid/8889), and SMTP (www.securityfocus.com/bid/2412) services. Directory traversal (www.securityfocus.com/bid/1144) and various buffer overflows have been discovered on Web-mail clients (www.securityfocus.com/bid/1056).
As of this writing, the current version is MERCUR Messaging 2005 SP4. A demo version can be downloaded from the producer's Web site; it expires after 30 days.
The exploit for this case study was published on March 17, 2006
(www.securityfocus.com/bid/17138). It is a classic example of a remote stack overflow on port 143 (IMAP); this exploit makes the LOGIN and SELECT commands vulnerable.
This plug-in written for the metasploit framework uses the static buffer of the SELECT command, in which the EIP registry is controlled by the attacker by providing it with an argument of approximately 231 to 240 bytes; the...
