MERCUR Mail Server "offers the necessary features to provide an efficient and effective communications medium. These include Security features using IP-Caching Firewall, NORMAN Virus Control Engine, and check open relay database by using DNS, Remote Configuration via a Web Browser, Dial-Up-connectivity (Modem, ISDN-Card), dedicated connectivity (ISDN-Router) or connectivity over the network (Router) to your ISP".
A vulnerability in MERCUR's base64 decoding, which is supported by the AUTH command, allows remote attackers to trigger a buffer overflow in the program.
* MERCUR Mail Server v4.2 SP3 and below
* MERCUR Mail Server v4.2 SP3a
The vulnerability is located in the base64 decoding routine that does not check the length of the supplied data and hence decodes and writes everything it can until nothing is left. However, there are cases when the destination buffer is small enough (and on the stack) so that a buffer overflow will give us the control of EBP and EIP, and then allow remote code execution.
For the SMTP component, the command I used in the exploit is "AUTH PLAIN Base64String". By carefully constructing the buffer to encode ([0x10C DATA],[EBP],[EIP]), encoding it and sending it, we trigger the overflow and gain control of code execution. Here is the disassembled source of the faulty section: CODE:00424FB8 push eax ; length of data
CODE:00424FB9 lea edx, [ebp+var_10C] ; only 0x10C bytes above EBP !
CODE:00424FBF push edx ; destination buffer
CODE:00424FC0 push edi ; source buffer
CODE:00424FC1 call base64_decode
(Up to you to check the base64 decoding routine)
One can reproduce the fault by connecting to port 25 of the server (with the telnet client of Win2k or WinXP - not a UNIX one that will result in a connection-closed event) and sending the following query (on a single line):
Server will try to execute code at address 0x90909090 and crash.
Vulnerability is also present in the POP3 module ("AUTH PLAIN" command) and the IMAP module ("AUTHENTICATE PLAIN" command).
Vendor was contacted on October, 7th 2003.
Stefan Sigmund from atrium software international responded to Kostya's initial query:
"We are able to duplicate the problem with POP3 and IMAP4, but not with SMTP. All three services contain a special buffer-checking feature. Very long commands will be blocked and the connection will be closed immediately. It seems that this feature works well in the SMTP part.
However, we are going to create a patch for that issue. But, we need to make sure that everything is working well."