SecuriTeam - Multiple Pre-Authentication Vulnerabilities in MailEnable SMTP

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

MailEnable's "mail server software provides a powerful, scalable hosted messaging platform for Microsoft Windows. MailEnable offers stability, unsurpassed flexibility and an extensive feature set which allows you to provide cost-effective mail services". Multiple NTLM related pre-authentication vulnerabilities have been discovered in MailEnable's SMTP server, these vulnerabilities can be used to cause the product to execute arbitrary code or to cause it to no longer respond to legitimate requests.

Credit:
The information has been provided by Mu Security.
The original article can be found at: http://labs.musecurity.com/advisories/MU-200609-01.txt

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* MailEnable Professional version 2.0
* MailEnable Enterprise version 2.0

All three pre-authentication vulnerabilities are in the SMTP connector during the NTLM authentication process, two of which can lead to arbitrary code execution on the server. NTLM authentication is disabled by default, but can be turned on by the administrator using the Messaging Manager. NTLM authentication is unavailable in the Standard versions of MailEnable.

The first vulnerability is a buffer overflow while processing the signature field of NTLM Type1 messages, leading to arbitrary code execution.

The second vulnerability is an out of bounds read while processing security buffers in the base64 encoded NTLM Type1 message, leading to a denial of service.

The third vulnerability is an out of bounds read during base64 decoding of Type3 messages, leading to arbitrary code execution.

Vendor Response / Solution:
All users of MailEnable are recommended to immediately apply the hotfixes available from the following URL:
http://www.mailenable.com/hotfix/MESMTP-060930.zip

All hotfixes are available from:
http://www.mailenable.com/hotfix

Mu Security would like to thank the MailEnable team for timely remediation of these vulnerabilities.

History:
09/25/06 - First contact with the vendor
09/27/06 - Hotfix available for the vulnerabilities
09/29/06 - Advisory released

	Trend Micro HouseCall "notifyOnLoadNative()" Vulnerability
	Citrix Broadcast Server login.asp SQL Injection
	Trend Micro HouseCall ActiveX Control Arbitrary Code Execution
	PGP Desktop PGPwded.sys Denial of Service
	Microsoft Hierarchical FlexGrid Control Integer Overflows (MS08-070)
	Microsoft Word Malformed FIB Arbitrary Free Vulnerability (MS08-072)
	CA ARCserve Backup LDBserver Vulnerability
	CA ARCserve Backup RPC "handle_t" Argument Vulnerability
	Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities
	Microsoft Internet Explorer HTML Tag Long File Name Extension Stack Buffer Overflow Vulnerability (MS08-073)
	Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability (MS08-071)
	Microsoft Excel Malformed Object Memoy Corruption Vulnerability (MS08-074)
	Google Chrome MetaCharacter URI Obfuscation Vulnerability
	iPhone Configuration Web Utility for Windows Directory Traversal
	Microsoft Windows Active Directory LDAP Server Information Disclosure Vulnerability