TABLE OF CONTENTS MailEnable is a mail server application for the Microsoft Windows platform. It provides full-feature e-mail solutions such as Web Mail, POP, IMAP4, antivirus plug-in capabilities, anti-spam protection, and content filtering. It can be found at www.mailenable.com.
At the end of April 2005, CorryL reported a buffer overflow condition in the MailEnable Web service that affects the Web server component of the MailEnable Enterprise Edition version prior to 1.0.5 and the MailEnable Professional version prior to 1.55. MailEnable Standard Edition does not include the Web server component and is not vulnerable to this buffer overflow.
The vendor has released a patch for this issue available at www.mailenable.com/hotfix/. This flaw, marked as severity critical, is corrected in patch "ME-1002: HTTPMailFix for MailEnable Professional and Enterprise (65k)."
A malicious user can remotely exploit the buffer overflow condition to gain Web server privileges by using a specially crafted authorization header request. A Proof of Concept written in Perl was provided at the time of disclosure and can be downloaded from www.securityfocus.com/data/vulnerabilities/exploits/x0n3-h4ck_mailenable_https.pl.The Proof of Concept takes one argument (that is, the victim's host address or the victim's fully qualified domain name) and creates a remote administrator account named "hack", with the password "hack" upon success. You can manually test this by issuing the following command: perl x0n3-h4ck_mailenable_https.pl www.victim.com.
The most important part of this PoC is how the malicious request is built.
In the following example, you can see a part of the code...
