Vulnerabilities > CVE-2003-0264 - Unspecified vulnerability in Seattle LAB Software Slmail 5.1.0.4420
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN argument to slmail.exe, (3) a long string to POPPASSWD, or (4) a long password to the POP3 server.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Exploit-Db
description | Seattle Lab Mail 5.5 POP3 Buffer Overflow. CVE-2003-0264. Remote exploit for windows platform |
id | EDB-ID:16399 |
last seen | 2016-02-01 |
modified | 2010-04-30 |
published | 2010-04-30 |
reporter | metasploit |
source | https://www.exploit-db.com/download/16399/ |
title | Seattle Lab Mail 5.5 - POP3 Buffer Overflow |
Metasploit
description | There exists an unauthenticated buffer overflow vulnerability in the POP3 server of Seattle Lab Mail 5.5 when sending a password with excessive length. Successful exploitation should not crash either the service or the server; however, after initial use the port cannot be reused for successive exploitation until the service has been restarted. Consider using a command execution payload following the bind shell to restart the service if you need to reuse the same port. The overflow appears to occur in the debugging/error reporting section of the slmail.exe executable, and there are multiple offsets that will lead to successful exploitation. This exploit uses 2606, the offset that creates the smallest overall payload. The other offset is 4654. The return address is overwritten with a "jmp esp" call from the application library SLMFC.DLL found in %SYSTEM%\system32\\. This return address works against all version of Windows and service packs. The last modification date on the library is dated 06/02/99. Assuming that the code where the overflow occurs has not changed in some time, prior version of SLMail may also be vulnerable with this exploit. The author has not been able to acquire older versions of SLMail for testing purposes. Please let us know if you were able to get this exploit working against other SLMail versions. |
id | MSF:EXPLOIT/WINDOWS/POP3/SEATTLELAB_PASS |
last seen | 2020-05-23 |
modified | 2017-07-24 |
published | 2007-01-07 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0264 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/pop3/seattlelab_pass.rb |
title | Seattle Lab Mail 5.5 POP3 Buffer Overflow |
Nessus
NASL family | SMTP problems |
NASL id | SLMAIL_SMTP_OVERFLOWS.NASL |
description | The remote host is running a version of the SLmail SMTP server which is vulnerable to various overflows which may allow to execute arbitrary commands on this host or to disable it remotely. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 11593 |
published | 2003-05-07 |
reporter | This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/11593 |
title | SLMail < 5.1.0.4433 Multiple Command Remote Overflows |
code |
|
References
- http://marc.info/?l=bugtraq&m=105232506011335&w=2
- http://marc.info/?l=bugtraq&m=105232506011335&w=2
- http://marc.info/?l=ntbugtraq&m=105233360321895&w=2
- http://marc.info/?l=ntbugtraq&m=105233360321895&w=2
- http://packetstormsecurity.com/files/161526/SLMail-5.1.0.4420-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/161526/SLMail-5.1.0.4420-Remote-Code-Execution.html
- http://www.nextgenss.com/advisories/slmail-vulns.txt
- http://www.nextgenss.com/advisories/slmail-vulns.txt