CVE-2004-2501
published 2004-12-31CVE-2004-2501: Buffer overflow in the IMAP service of MailEnable Professional Edition 1.52 and Enterprise Edition 1.01 allows remote attackers to execute arbitrary code via…
PriorityP345high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
14.06%
96.1th percentile
Buffer overflow in the IMAP service of MailEnable Professional Edition 1.52 and Enterprise Edition 1.01 allows remote attackers to execute arbitrary code via (1) a long command string or (2) a long string to the MEIMAP service and then terminating the connection.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mailenable | mailenable_enterprise | — | — |
| mailenable | mailenable_professional | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xEB\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF\xFF
- →Detect oversized IMAP command strings (~8202+ bytes) sent to port 143 targeting MailEnable IMAP service; payload begins with 3 bytes '\x41\x41\x41' followed by shellcode and padding up to 8202 bytes total before the CALL EDI return address. ↗
- →After successful exploitation, attacker connects to bind shell on TCP port 101 on the victim host; monitor for unexpected inbound/outbound connections on port 101. ↗
- →XOR-encoded shellcode (key 0x88) is embedded in the oversized IMAP payload; the shellcode stub starts with \xEB\x0F and contains the decoded string 'hack' (\x68\x61\x63\x6B) as a loop terminator. ↗
- →Exploit targets MailEnable Professional v1.52 and Enterprise v1.01 IMAP service (MEIMAP/MEAISP); alert on buffer overflows via long command strings or abrupt connection termination after large data send to port 143. ↗
- ·The CALL EDI return address (0x10018c7a in MEAISP.dll) is described as 'Universal' for Win2k/NT4 but was only confirmed tested on Win2k SP4 Pro English, Win2k SP4 Pro French, and Win2k SP4 Server English; it may not apply to other OS versions. ↗
- ·The exploit payload size is hardcoded at 8202 bytes total (3 NOP-sled bytes + shellcode + padding + 4-byte return address); detection signatures based on exact payload size may miss variants with different shellcode lengths. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vfjp-q2j5-26qc: Buffer overflow in the IMAP service of MailEnable Professional Edition 1
ghsa_unreviewed·2022-04-29
CVE-2004-2501 [HIGH] GHSA-vfjp-q2j5-26qc: Buffer overflow in the IMAP service of MailEnable Professional Edition 1
Buffer overflow in the IMAP service of MailEnable Professional Edition 1.52 and Enterprise Edition 1.01 allows remote attackers to execute arbitrary code via (1) a long command string or (2) a long string to the MEIMAP service and then terminating the connection.
Red Hat
libpng: regression of CVE-2004-0421 in 1.2.23+
vendor_redhat·2011-06-07·CVSS 5.0
CVE-2011-2501 [MEDIUM] libpng: regression of CVE-2004-0421 in 1.2.23+
libpng: regression of CVE-2004-0421 in 1.2.23+
The png_format_buffer function in pngerror.c in libpng 1.0.x before 1.0.55, 1.2.x before 1.2.45, 1.4.x before 1.4.8, and 1.5.x before 1.5.4 allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.
No detection rules found.
Bugzilla
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-6]
bugzilla·2011-06-29·CVSS 5.0
CVE-2011-2501 [MEDIUM] CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-6]
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-6]
epel-6 tracking bug for libpng10: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
mingw32-libpng-1.2.37-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/mingw32-libpng-1.2.37-3.el6
---
libpng10-1.0.54-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/libpng10-1.0.54-3.el6
---
Package mingw32-libpng-1.2.37-3.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Bugzilla
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
bugzilla·2011-06-29·CVSS 5.0
CVE-2011-2501 [MEDIUM] CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=717084
Please note: this issue affects multiple
Bugzilla
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-5]
bugzilla·2011-06-29·CVSS 5.0
CVE-2011-2501 [MEDIUM] CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-5]
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [epel-5]
epel-5 tracking bug for mingw32-libpng: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
mingw32-libpng-1.2.37-2.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/mingw32-libpng-1.2.37-2.el5
---
mingw32-libpng-1.2.37-3.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/mingw32-libpng-1.2.37-3.el6
---
Package mingw32-libpng-1.2.37-2.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirro
Bugzilla
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
bugzilla·2011-06-29·CVSS 5.0
CVE-2011-2501 [MEDIUM] CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+ [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=717084
Please note: this issue affects multiple
Bugzilla
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+
bugzilla·2011-06-27·CVSS 5.0
CVE-2011-2501 [MEDIUM] CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+
CVE-2011-2501 libpng: regression of CVE-2004-0421 in 1.2.23+
It was reported [1] that the fix for CVE-2004-0421 in libpng was inadvertently reverted during the 1.2.23 development cycle. The original flaw could be used to cause a denial of service via a carefully-crafted PNG image.
This would affect all versions of libpng >=1.2.23, including 1.4.x and 1.5.x.
[1] http://sourceforge.net/mailarchive/forum.php?thread_name=BANLkTikrnU6FJNQYFvwmt78hwpgKPVRd1Q%40mail.gmail.com&forum_name=png-mng-implement
Discussion:
Upstream fix is here:
http://libpng.git.sourceforge.net/git/gitweb.cgi?p=libpng/libpng;a=commitdiff;h=65e6d5a34f49acdb362a0625a706c6b914e670af
---
This has been assigned CVE-2011-2501:
http://www.openwall.com/lists/oss-security/2011/06/28/16
---
Created libpng tracking bugs
http://archives.neohapsis.com/archives/bugtraq/2004-11/0349.htmlhttp://secunia.com/advisories/13318http://securitytracker.com/id?1012327http://www.hat-squad.com/en/000102.htmlhttp://www.osvdb.org/12135http://www.osvdb.org/12136http://www.securityfocus.com/bid/11755https://exchange.xforce.ibmcloud.com/vulnerabilities/18285https://exchange.xforce.ibmcloud.com/vulnerabilities/18286http://archives.neohapsis.com/archives/bugtraq/2004-11/0349.htmlhttp://secunia.com/advisories/13318http://securitytracker.com/id?1012327http://www.hat-squad.com/en/000102.htmlhttp://www.osvdb.org/12135http://www.osvdb.org/12136http://www.securityfocus.com/bid/11755https://exchange.xforce.ibmcloud.com/vulnerabilities/18285https://exchange.xforce.ibmcloud.com/vulnerabilities/18286
2004-12-31
Published