Vulnerabilities > CVE-2003-0264 - Unspecified vulnerability in Seattle LAB Software Slmail 5.1.0.4420

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

seattle-lab-software

nessus

exploit available

metasploit

NVD

Published: 2003-05-27

Updated: 2021-02-24

Summary

Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN argument to slmail.exe, (3) a long string to POPPASSWD, or (4) a long password to the POP3 server.

Vulnerable Configurations

Part	Description	Count
Application	Seattle_Lab_Software Seattle LAB Software Slmail 5.1.0.4420	1

Exploit-Db

description	Seattle Lab Mail 5.5 POP3 Buffer Overflow. CVE-2003-0264. Remote exploit for windows platform
id	EDB-ID:16399
last seen	2016-02-01
modified	2010-04-30
published	2010-04-30
reporter	metasploit
source	https://www.exploit-db.com/download/16399/
title	Seattle Lab Mail 5.5 - POP3 Buffer Overflow

Metasploit

description	There exists an unauthenticated buffer overflow vulnerability in the POP3 server of Seattle Lab Mail 5.5 when sending a password with excessive length. Successful exploitation should not crash either the service or the server; however, after initial use the port cannot be reused for successive exploitation until the service has been restarted. Consider using a command execution payload following the bind shell to restart the service if you need to reuse the same port. The overflow appears to occur in the debugging/error reporting section of the slmail.exe executable, and there are multiple offsets that will lead to successful exploitation. This exploit uses 2606, the offset that creates the smallest overall payload. The other offset is 4654. The return address is overwritten with a "jmp esp" call from the application library SLMFC.DLL found in %SYSTEM%\system32\\. This return address works against all version of Windows and service packs. The last modification date on the library is dated 06/02/99. Assuming that the code where the overflow occurs has not changed in some time, prior version of SLMail may also be vulnerable with this exploit. The author has not been able to acquire older versions of SLMail for testing purposes. Please let us know if you were able to get this exploit working against other SLMail versions.
id	MSF:EXPLOIT/WINDOWS/POP3/SEATTLELAB_PASS
last seen	2020-05-23
modified	2017-07-24
published	2007-01-07
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0264
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/pop3/seattlelab_pass.rb
title	Seattle Lab Mail 5.5 POP3 Buffer Overflow

Nessus

NASL family	SMTP problems
NASL id	SLMAIL_SMTP_OVERFLOWS.NASL
description	The remote host is running a version of the SLmail SMTP server which is vulnerable to various overflows which may allow to execute arbitrary commands on this host or to disable it remotely.
last seen	2020-06-01
modified	2020-06-02
plugin id	11593
published	2003-05-07
reporter	This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/11593
title	SLMail < 5.1.0.4433 Multiple Command Remote Overflows
code	# # (C) Tenable Network Security, Inc. # # Refs: # From: "NGSSoftware Insight Security Research" <[email protected]> # To: <[email protected]> # Subject: Multiple Buffer Overflow Vulnerabilities in SLMail (#NISR07052003A) # Date: Wed, 7 May 2003 17:44:22 +0100 # The other issues (POP and POPPASSWD) should be covered by miscflood and pop3_overflows.nasl include( 'compat.inc' ); if(description) { script_id(11593); script_version ("1.20"); script_cve_id("CVE-2003-0264"); script_bugtraq_id(7512, 7515, 7519, 7525, 7526); script_name(english:"SLMail < 5.1.0.4433 Multiple Command Remote Overflows"); script_summary(english:"Overflows the remote SMTP server"); script_set_attribute( attribute:'synopsis', value:"The remote mail server is vulnerable to multiple buffer overflows." ); script_set_attribute( attribute:'description', value:"The remote host is running a version of the SLmail SMTP server which is vulnerable to various overflows which may allow to execute arbitrary commands on this host or to disable it remotely." ); script_set_attribute( attribute:'solution', value:"Upgrade to SLMail 5.1.0.4433 or newer" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Seattle Lab Mail 5.5 POP3 Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute( attribute:'see_also', value:"https://marc.info/?l=bugtraq&m=105232506011335&w=2" ); script_set_attribute(attribute:"plugin_publication_date", value: "2003/05/07"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/05/07"); script_cvs_date("Date: 2018/11/15 20:50:24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"SMTP problems"); script_dependencie("find_service1.nasl", "smtpserver_detect.nasl", "sendmail_expn.nasl"); script_require_ports("Services/smtp", 25); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("smtp_func.inc"); port = get_service(svc:"smtp", default: 25, exit_on_fail: 1); if (get_kb_item('SMTP/'+port+'/broken')) exit(0); soc = open_sock_tcp(port); if (! soc) exit(1); s = smtp_recv_banner(socket:soc); if(!s)exit(0); if(!egrep(pattern:"^220 .", string:s)) { close(soc); exit(0); } if( safe_checks() ) { if(egrep(pattern:"^220 .SMTP Server SLmail ([0-4]\.\|5\.(0\.\|1\.0\.([0-9][0-9]?[0-9]?[^0-9]\|([0-3]\|4([0-3]\|4([0-2]\|3[0-2]))))))", string:s))security_hole(port); exit(0); } c = string("EHLO ", crap(1999), "\r\n"); send(socket:soc, data:c); s = recv_line(socket:soc, length:1024); close(soc); if (service_is_dead(port: port) > 0) security_hole(port);

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

References