-=[--------------------------------ADVISORY----------------------
-=[
-=[    MailEnable Enterprise & Pro remote BoF
-=[
-=[  Author: Expanders  [expanders@gmail.com]
-=[              CorryL     [corryl80@gmail.com]
-=[
-=[                             www.x0n3-h3ck.org
-=[------------------------------------------------------------------------


-=[+] Application:    Mail Enable Imapd ( MEIMAP.exe )
-=[+] Version:        (Enterprise <= 1.04)-(Professional <= 1.54)
-=[+] Vendor's URL:   www.mailenable.com
-=[+] Platform:       Windows
-=[+] Bug type:       Buffer overflow
-=[+] Exploitation:   Remote/Local
-=[-]
-=[+] Author:         Expanders  ~ expanders[at]gmail[dot]com ~
-=[+] Author:         CorryL     ~  corryl80[at]gmail[dot]com ~
-=[+] Reference:      www.x0n3-h4ck.org


..::[ Descriprion ]::..

MailEnable's mail server software provides a powerful, 
scalable hosted messaging platform for Microsoft Windows. 
MailEnable offers stability, unsurpassed flexibility and 
an extensive feature set which allows you to provide
cost-effective mail services.


..::[ Bug ]::..

Imapd service is buffer overflow vulnerable at "A001 AUTHENTICATE <buffer>" command.
Passing a buffer greater than 1016 bytes will overwrite ECX and EAX register allowing remote 
attacker to execute arbitraty code on the vulnerable server.


..::[ Proof Of Concept ]::..

A001 AUTHENTICATE "A"x1024

..::[ Exploit ]::..

Attached or:

http://www.x0n3-h4ck.org/upload/x0n3-h4ck_MailEnable_Imapd.c

..::[ Workaround ]::..

There is no workaround

..::[ Path or Fix ]::..

http://www.mailenable.com/hotfix
http://www.mailenable.com/hotfix/MEIMSM-HF050404.zip


..::[ Disclousure Timeline ]::..

[02/04/2005] - Vendor notification
[03/04/2005] - Vendor Response
[03/04/2005] - Hotfix relased by vendor
[05/04/2005] - Public disclousure