CVE-2005-1348
published 2005-05-02CVE-2005-1348: Buffer overflow in HTTPMail in MailEnable Enterprise 1.04 and earlier and Professional 1.54 and earlier allows remote attackers to execute arbitrary code via a…
PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
72.62%
99.4th percentile
Buffer overflow in HTTPMail in MailEnable Enterprise 1.04 and earlier and Professional 1.54 and earlier allows remote attackers to execute arbitrary code via a long HTTP Authorization header.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mailenable | mailenable | — | — |
| mailenable | mailenable_enterprise | <= 1.04 | — |
| mailenable | mailenable_professional | <= 1.54 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x6c\x36\xb7 (RET address for Win2003, MEHTTPS.exe)
bytes↗
\x33\xc9\x83\xe9\xca\xd9\xee\xd9\x74\x24\xf4\x5b... (win32_adduser shellcode, USER=hack PASS=hack)
- →Detect oversized HTTP Authorization header sent to port 8080 targeting MailEnable HTTPMail service (MEHTTPS.exe); a large/binary Authorization header value is the exploit trigger. ↗
- →Fingerprint vulnerable MailEnable service by checking HTTP response banner for 'MailEnable' string; Metasploit check method uses this to confirm exposure. ↗
- →Payload bad characters are \x0d and \x0a (CR/LF); any Authorization header containing binary data other than these bytes should be treated as suspicious on MailEnable HTTP ports. ↗
- →Monitor for creation of unexpected local user accounts (e.g., username 'hack') following inbound requests to MailEnable's HTTPMail port, as the exploit shellcode runs win32_adduser. ↗
- ·The hardcoded RET address (0x006c36b7) in both the standalone exploit and Metasploit module targets MEHTTPS.exe on Windows Server 2003 only; different OS/patch levels will require different return addresses. ↗
- ·Affected versions are MailEnable Enterprise Edition prior to 1.0.5 and MailEnable Professional prior to 1.55; versions at or above these thresholds are not vulnerable. ↗
- ·Exploit payload space is limited to 512 bytes, constraining the usable shellcode size for detection rule tuning. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2h7h-w3jg-x4gf: Buffer overflow in HTTPMail in MailEnable Enterprise 1
ghsa_unreviewed·2022-05-01
CVE-2005-1348 [HIGH] GHSA-2h7h-w3jg-x4gf: Buffer overflow in HTTPMail in MailEnable Enterprise 1
Buffer overflow in HTTPMail in MailEnable Enterprise 1.04 and earlier and Professional 1.54 and earlier allows remote attackers to execute arbitrary code via a long HTTP Authorization header.
GHSA
GHSA-pw85-4jwp-m329: HTTPMail service in MailEnable Professional 1
ghsa_unreviewed·2022-04-29·CVSS 7.5
CVE-2004-2726 [HIGH] GHSA-pw85-4jwp-m329: HTTPMail service in MailEnable Professional 1
HTTPMail service in MailEnable Professional 1.18 does not properly handle arguments to the Authorization header, which allows remote attackers to cause a denial of service (null dereference and application crash). NOTE: This is a different vulnerability than CVE-2005-1348.
No detection rules found.
Exploit-DB
MailEnable - Authorisation Header Buffer Overflow (Metasploit)
exploitdb·2010-07-07
CVE-2005-1348 MailEnable - Authorisation Header Buffer Overflow (Metasploit)
MailEnable - Authorisation Header Buffer Overflow (Metasploit)
---
##
# $Id: mailenable_auth_header.rb 9719 2010-07-07 17:38:59Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /MailEnable/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'MailEnable Authorization Header Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow in the MailEnable web service.
The vulnerability is triggered when a large value is placed into the Authorization
header o
Exploit-DB
MailEnable Enterprise & Professional - https Remote Buffer Overflow
exploitdb·2005-04-25
CVE-2005-1348 MailEnable Enterprise & Professional - https Remote Buffer Overflow
MailEnable Enterprise & Professional - https Remote Buffer Overflow
---
#!/usr/bin/perl
# This tools and to consider only himself to educational purpose
#
#
#-=[MailEnable (Enterprise & Professional) HTTPS remote BoF exploit]=-
#-=[ ]=-
#-=[ Discovered & Coded by CorryL info:www.x0n3-h4ck.org]=-
#-=[ irc.xoned.net #x0n3-h4ck corryl80[at]gmail.com]=-
#
#[+]Connecting to 127.0.0.1
#[+]Sending Evil Request
#[+]Creating Administrator User
#Connect to 127.0.0.1 Using User (hack) Pass (hack)
#
#D:\Documents and Settings\Administrator\Desktop\prova bof\mailenable-bug+exploit
#>net users
#
#Account utente per \\SERVER
#
#-------------------------------------------------------------------------------
#__vmware_user__ Administrator ASPNET
#Guest hack IME_ADMIN
#IME_USER IUSR_SERVER IWAM_SERVER
#SU
Metasploit
MailEnable Authorization Header Buffer Overflow
metasploit
MailEnable Authorization Header Buffer Overflow
MailEnable Authorization Header Buffer Overflow
This module exploits a remote buffer overflow in the MailEnable web service. The vulnerability is triggered when a large value is placed into the Authorization header of the web request. MailEnable Enterprise Edition versions prior to 1.0.5 and MailEnable Professional versions prior to 1.55 are affected.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=111445834220015&w=2http://securitytracker.com/id?1013786http://www.osvdb.org/15737http://www.x0n3-h4ck.org/upload/x0n3-h4ck_mailenable_https.plhttp://marc.info/?l=bugtraq&m=111445834220015&w=2http://securitytracker.com/id?1013786http://www.osvdb.org/15737http://www.x0n3-h4ck.org/upload/x0n3-h4ck_mailenable_https.pl
2005-05-02
Published