Vulnerabilities > CVE-2006-1255 - Remote Buffer Overflow vulnerability in MERCUR Messaging 2005 IMAP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in the IMAP service in Mercur Messaging 5.0 SP3 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long string to the (1) LOGIN or (2) SELECT command, a different set of attack vectors and possibly a different vulnerability than CVE-2003-1177.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
description Mercur Mailserver 5.0 SP3 (IMAP) Remote Buffer Overflow Exploit. CVE-2006-1255. Remote exploit for windows platform id EDB-ID:1592 last seen 2016-01-31 modified 2006-03-19 published 2006-03-19 reporter pLL source https://www.exploit-db.com/download/1592/ title Mercur Mailserver 5.0 SP3 IMAP Remote Buffer Overflow Exploit description Mercur Messaging 2005. CVE-2006-1255. Remote exploit for windows platform id EDB-ID:3540 last seen 2016-01-31 modified 2007-03-21 published 2007-03-21 reporter muts source https://www.exploit-db.com/download/3540/ title Mercur Messaging 2005 <= SP4 - IMAP Remote Exploit egghunter mod description Mercur Messaging 2005 IMAP Remote Buffer Overflow Exploit. CVE-2006-1255. Remote exploit for windows platform id EDB-ID:3133 last seen 2016-01-31 modified 2007-01-15 published 2007-01-15 reporter Jacopo Cervini source https://www.exploit-db.com/download/3133/ title Mercur Messaging 2005 IMAP Remote Buffer Overflow Exploit description Mercur Messaging 2005 IMAP Login Buffer Overflow. CVE-2006-1255. Remote exploit for windows platform id EDB-ID:16481 last seen 2016-02-01 modified 2010-08-25 published 2010-08-25 reporter metasploit source https://www.exploit-db.com/download/16481/ title Mercur Messaging 2005 IMAP Login Buffer Overflow description Mercur v5.0 IMAP SP3 SELECT Buffer Overflow. CVE-2006-1255. Remote exploit for windows platform id EDB-ID:16476 last seen 2016-02-01 modified 2010-09-20 published 2010-09-20 reporter metasploit source https://www.exploit-db.com/download/16476/ title Mercur 5.0 - IMAP SP3 SELECT Buffer Overflow
Metasploit
description Mercur v5.0 IMAP server is prone to a remotely exploitable stack-based buffer overflow vulnerability. This issue is due to a failure of the application to properly bounds check user-supplied data prior to copying it to a fixed size memory buffer. Credit to Tim Taylor for discover the vulnerability. id MSF:EXPLOIT/WINDOWS/IMAP/MERCUR_IMAP_SELECT_OVERFLOW last seen 2020-01-14 modified 2017-07-24 published 2006-12-31 references https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1255 reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/imap/mercur_imap_select_overflow.rb title Mercur v5.0 IMAP SP3 SELECT Buffer Overflow description This module exploits a stack buffer overflow in Atrium Mercur IMAP 5.0 SP3. Since the room for shellcode is small, using the reverse ordinal payloads yields the best results. id MSF:EXPLOIT/WINDOWS/IMAP/MERCUR_LOGIN last seen 2020-03-10 modified 2017-07-24 published 2006-12-27 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/imap/mercur_login.rb title Mercur Messaging 2005 IMAP Login Buffer Overflow
Nessus
| NASL family | Gain a shell remotely |
| NASL id | MERCUR_IMAP_BUFFER_OVERFLOW.NASL |
| description | The remote host is running MERCUR Messaging Server / Mailserver, a commercial messaging application for Windows. The IMAP server component of this software fails to properly copy overly-long arguments to LOGIN and SELECT commands, which can be exploited to crash the server and possibly to execute arbitrary code remotely. Note that the services run by default with LOCAL SYSTEM privileges, which means that an unauthenticated attacker can potentially gain complete control of the affected host. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 21116 |
| published | 2006-03-22 |
| reporter | This script is Copyright (C) 2006-2018 Ferdy Riphagen |
| source | https://www.tenable.com/plugins/nessus/21116 |
| title | MERCUR Messaging IMAP Service Multiple Command Remote Overflow |
Packetstorm
data source https://packetstormsecurity.com/files/download/82991/mercur_imap_select_overflow.rb.txt id PACKETSTORM:82991 last seen 2016-12-05 published 2009-11-26 reporter Jacopo Cervini source https://packetstormsecurity.com/files/82991/Mercur-v5.0-IMAP-SP3-SELECT-Buffer-Overflow.html title Mercur v5.0 IMAP SP3 SELECT Buffer Overflow data source https://packetstormsecurity.com/files/download/83031/mercur_login.rb.txt id PACKETSTORM:83031 last seen 2016-12-05 published 2009-11-26 reporter MC source https://packetstormsecurity.com/files/83031/Mercur-Messaging-2005-IMAP-Login-Buffer-Overflow.html title Mercur Messaging 2005 IMAP Login Buffer Overflow
Saint
| bid | 17138 |
| description | MERCUR Messaging IMAP LOGIN command buffer overflow |
| id | mail_imap_mercur |
| osvdb | 23950 |
| title | mercur_imap_login |
| type | remote |
References
- http://seclists.org/fulldisclosure/2006/Mar/1111
- http://seclists.org/fulldisclosure/2006/Mar/1167
- http://secunia.com/advisories/19267
- http://www.osvdb.org/23950
- http://www.securityfocus.com/bid/17138
- http://www.vupen.com/english/advisories/2006/0977
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25290