Vulnerabilities > CVE-2006-6423 - Remote Buffer Overflow vulnerability in MailEnable IMAP Service Login

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

mailenable

critical

nessus

exploit available

metasploit

NVD

Published: 2006-12-12

Updated: 2018-10-17

Summary

Stack-based buffer overflow in the IMAP service for MailEnable Professional and Enterprise Edition 2.0 through 2.35, Professional Edition 1.6 through 1.84, and Enterprise Edition 1.1 through 1.41 allows remote attackers to execute arbitrary code via a pre-authentication command followed by a crafted parameter and a long string, as addressed by the ME-10025 hotfix.

Vulnerable Configurations

Part	Description	Count
Application	Mailenable Mailenable Mailenable Enterprise 1.1 Mailenable Mailenable Enterprise 1.2 Mailenable Mailenable Enterprise 1.11 Mailenable Mailenable Enterprise 1.12 Mailenable Mailenable Enterprise 1.13 Mailenable Mailenable Enterprise 1.14 Mailenable Mailenable Enterprise 1.15 Mailenable Mailenable Enterprise 1.16 Mailenable Mailenable Enterprise 1.17 Mailenable Mailenable Enterprise 1.18 Mailenable Mailenable Enterprise 1.19 Mailenable Mailenable Enterprise 1.21 Mailenable Mailenable Enterprise 1.22 Mailenable Mailenable Enterprise 1.23 Mailenable Mailenable Enterprise 1.24 Mailenable Mailenable Enterprise 1.25 Mailenable Mailenable Enterprise 1.26 Mailenable Mailenable Enterprise 1.27 Mailenable Mailenable Enterprise 1.28 Mailenable Mailenable Enterprise 1.29 Mailenable Mailenable Enterprise 1.30 Mailenable Mailenable Enterprise 1.31 Mailenable Mailenable Enterprise 1.32 Mailenable Mailenable Enterprise 1.33 Mailenable Mailenable Enterprise 1.34 Mailenable Mailenable Enterprise 1.35 Mailenable Mailenable Enterprise 1.36 Mailenable Mailenable Enterprise 1.37 Mailenable Mailenable Enterprise 1.38 Mailenable Mailenable Enterprise 1.39 Mailenable Mailenable Enterprise 1.40 Mailenable Mailenable Enterprise 1.41 Mailenable Mailenable Enterprise 2.35 Mailenable Mailenable Professional 1.84	34

Exploit-Db

description	MailEnable IMAPD (2.35) Login Request Buffer Overflow. CVE-2006-6423. Remote exploit for windows platform
id	EDB-ID:16475
last seen	2016-02-01
modified	2010-04-30
published	2010-04-30
reporter	metasploit
source	https://www.exploit-db.com/download/16475/
title	MailEnable IMAPD 2.35 Login Request Buffer Overflow

Metasploit

description	MailEnable's IMAP server contains a buffer overflow vulnerability in the Login command.
id	MSF:EXPLOIT/WINDOWS/IMAP/MAILENABLE_LOGIN
last seen	2020-03-01
modified	2017-07-24
published	2006-12-11
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6423
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/imap/mailenable_login.rb
title	MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow

Nessus

NASL family	Windows
NASL id	MAILENABLE_ME_10025.NASL
description	The IMAP server bundled with the version of MailEnable installed on the remote host reportedly is affected by multiple and as yet unspecified buffer overflows. Note that it is not currently known whether the issues listed in ME-10023 and ME-10025 require authentication or not, but successful exploitation will allow an attacker to crash the service service or to execute arbitrary code with LOCAL SYSTEM privileges.
last seen	2020-06-01
modified	2020-06-02
plugin id	23783
published	2006-12-10
reporter	This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/23783
title	MailEnable IMAP Server Multiple Buffer Overflow Vulnerabilities (ME-10025)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(23783); script_version("1.16"); script_cvs_date("Date: 2018/07/14 1:59:37"); script_cve_id("CVE-2006-6423", "CVE-2006-6484"); script_bugtraq_id(21492, 21493); script_name(english:"MailEnable IMAP Server Multiple Buffer Overflow Vulnerabilities (ME-10025)"); script_summary(english:"Checks version of MailEnable's MEIMAPS.exe"); script_set_attribute(attribute:"synopsis", value: "The remote IMAP server is affected by multiple buffer overflows." ); script_set_attribute(attribute:"description", value: "The IMAP server bundled with the version of MailEnable installed on the remote host reportedly is affected by multiple and as yet unspecified buffer overflows. Note that it is not currently known whether the issues listed in ME-10023 and ME-10025 require authentication or not, but successful exploitation will allow an attacker to crash the service service or to execute arbitrary code with LOCAL SYSTEM privileges." ); script_set_attribute(attribute:"see_also", value:"http://www.mailenable.com/hotfix/" ); script_set_attribute(attribute:"solution", value: "Apply Hotfix ME-10025." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MailEnable IMAPD (2.34/2.35) Login Request Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/12/10"); script_set_attribute(attribute:"patch_publication_date", value: "2006/12/08"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/12/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mailenable:mailenable"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("mailenable_detect.nasl"); script_require_keys("SMB/MailEnable/Installed"); script_require_ports(139, 445); exit(0); } include("misc_func.inc"); if (!get_kb_item("SMB/MailEnable/Installed")) exit(0); if (get_kb_item("SMB/MailEnable/Standard")) prod = "Standard"; if (get_kb_item("SMB/MailEnable/Professional")) prod = "Professional"; else if (get_kb_item("SMB/MailEnable/Enterprise")) prod = "Enterprise"; # Check version of MEIMAPS.exe. if (prod == "Professional" \|\| prod == "Enterprise") { kb_base = "SMB/MailEnable/" + prod; ver = read_version_in_kb(kb_base+"/MEIMAPS/Version"); if (isnull(ver)) exit(0); # nb: file version for MEIMAPS.exe from ME-10025 is 1.0.0.28. if ( ver[0] == 0 \|\| (ver[0] == 1 && ver[1] == 0 && ver[2] == 0 && ver[3] < 28) ) { # Let's make sure the product's version number agrees with what's reportedly affected. # nb: MailEnable version numbers are screwy! ver2 = get_kb_item(kb_base+"/Version"); if (isnull(ver2)) exit(0); if ( # 1.6-1.84 Professional Edition # 2.0-2.35 Professional Edition (prod == "Professional" && ver2 =~ "^(1\.([67]($\|[0-9.])\|8$\|8[0-4])\|2\.([0-2]($\|[0-9.])\|3($\|[0-5])))") \|\| # 1.1-1.41 Enterprise Edition # 2.0-2.35 Enterprise Edition (prod == "Enterprise" && ver2 =~ "^(1\.([1-3]($\|[0-9].)\|4$\|4[01])\|2\.([0-2]($\|[0-9.])\|3($\|[0-5])))") ) security_hole(get_kb_item("SMB/transport")); } }

Packetstorm

data source	https://packetstormsecurity.com/files/download/83125/mailenable_login.rb.txt
id	PACKETSTORM:83125
last seen	2016-12-05
published	2009-11-26
reporter	MC
source	https://packetstormsecurity.com/files/83125/MailEnable-IMAPD-2.35-Login-Request-Buffer-Overflow.html
title	MailEnable IMAPD (2.35) Login Request Buffer Overflow

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Nessus

Packetstorm

References