code | #
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(20866);
script_version("1.18");
script_cvs_date("Date: 2018/07/14 1:59:37");
script_cve_id("CVE-2006-0504");
script_bugtraq_id(16525);
script_name(english:"MailEnable Webmail Malformed Quoted-printable Email DoS (CVE-2006-0504)");
script_summary(english:"Checks for quoted-printable message denial of service vulnerability in MailEnable Webmail");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a denial of service issue." );
script_set_attribute(attribute:"description", value:
"The remote host is running MailEnable, a commercial mail server for
Windows.
According to its banner, using the webmail service bundled with the
version of MailEnable Enterprise Edition on the remote host to view
specially-formatted quoted-printable messages reportedly may result in
100% CPU utilization." );
script_set_attribute(attribute:"see_also", value:"http://www.mailenable.com/enterprisehistory.asp" );
script_set_attribute(attribute:"solution", value:
"Upgrade to MailEnable Enterprise Edition 1.2 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/09");
script_set_attribute(attribute:"vuln_publication_date", value: "2006/02/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mailenable:mailenable");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
script_dependencies("smtpserver_detect.nasl", "http_version.nasl");
script_require_ports("Services/smtp", 25, "Services/www", 8080);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("smtp_func.inc");
port = get_http_port(default:8080, embedded: 1);
# Make sure banner's from MailEnable.
banner = get_http_banner(port:port);
if (!banner) exit(1, "No HTTP banner on port "+port);
if (!egrep(pattern:"^Server: .*MailEnable", string:banner)) exit(0, "MailEnable is not running on port "+port);
# Check the version number from the SMTP server's banner.
smtp_port = get_kb_item("Services/smtp");
if (!smtp_port) smtp_port = 25;
if (!get_port_state(smtp_port)) exit(0, "Port "+smtp_port+" is closed");
if (get_kb_item('SMTP/'+smtp_port+'/broken')) exit(0, "MTA on port "+smtp_port+" is broken");
banner = get_smtp_banner(port:smtp_port);
if (! banner) exit(1, "No SMTP banner on port "+smtp_port);
if (banner !~ "Mail(Enable| Enable SMTP) Service") exit(0, "MailEnable is not running on port "+smtp_port);
# nb: Standard Edition seems to format version as "1.71--" (for 1.71),
# Professional Edition formats it like "0-1.2-" (for 1.2), and
# Enterprise Edition formats it like "0--1.1" (for 1.1).
ver = eregmatch(pattern:"Version: (0-+)?([0-9][^- ]+)-*", string:banner);
if (!isnull(ver)) {
if (ver[1] == NULL) edition = "Standard";
else if (ver[1] == "0-") edition = "Professional";
else if (ver[1] == "0--") edition = "Enterprise";
}
if (isnull(ver) || isnull(edition)) {
exit(1, "cannot determine edition of MailEnable's SMTP connector service");
}
ver = ver[2];
# nb: Enterprise Edition versions < 1.2 are vulnerable.
if (edition == "Enterprise" && ver =~ "^1\.[0-1]([^0-9]|$)") {
security_warning(port);
}
|