##############################################################################
#
#  MailEnable POP3 Buffer Overflow Vulnerability
#
#  Copyright: OS2A and it's member companies
#
#  Date Written: 2006/03/22
#
#  $Revision: 1.4 $
#
#  $Log: os2a_mailenable_pop3_bof_601559.nasl,v $
#  Revision 1.4  2006/09/20 11:11:29  ksjayesh
#  new ntlm changes
#
#  Revision 1.1  2006/08/09 14:44:19  hpavithra
#  Scripts with ntlmv2 changes
#
#  Revision 1.2  2006/08/04 01:03:19  bchandra
#  Changes for new NTLMv2
#
#  Revision 1.1  2006/03/24 11:53:24  ksjayesh
#  To Production
#
#  Revision 1.4  2006/03/24 05:27:54  hpavithra
#  Added BID with description and formatting changes
#  Issue: #2113
#
#  Revision 1.3  2006/03/23 11:36:12  shraddha
#  Added cve id,
#  modified desc, sol, optimized the
#  code, set kb.
#  Issue #2113
#
#  Revision 1.2  2006/03/22 08:11:46  nrnandini
#   - Added scope of impact to description.
#   issue #2113
#
#  Revision 1.1  2006/03/22 06:49:44  nrnandini
#  issue #2113
#
#  ------------------------------------------------------------------------
#  This program was written by OS2A and/or it's member companies and is
#  licensed under the GNU GPL license. Please see below for details. This
#  header contains information regarding licensing terms under the GPL, and
#  information regarding obtaining source code from the Author. Consequently,
#  pursuant to section 3(c) of the GPL, you must accompany the information
#  found in this header with any distribution you make of this Program.
#  ------------------------------------------------------------------------
##############################################################################

if(description)
{
 script_id(601559);
 script_bugtraq_id(17162);
 script_cve_id("CVE-2006-1337");
 script_copyright(english:"Copyright (C) 2006 OS2A");
 script_version("$Revision: 1.4 $");
 script_category(ACT_GATHER_INFO);
 script_family(english:"Gain a shell remotely");
 name["english"] = "MailEnable POP3 Buffer Overflow Vulnerability"; 
 script_name(english:name["english"]);
 summary["english"] = "Check for vulnerable version of MailEnable";
 script_summary(english:summary["english"]);
 desc["english"] = "
 Overview : This host has MailEnable installed which is prone to authentication
 bypass vulnerability possibly due to a buffer overflow.

 This flaw is due to an error within certain POP3 pre-authentication command.

 Impact : Successful exploitation could lead to authentication-bypass and 
 arbitrary code execution and also to compromise a vulnerable system.

 Scope of impact is restricted to system level.
 
 Affected Software : MailEnable Standard Edition versions prior to 1.93
                     MailEnable Professional Edition versions prior to 1.73
 		     MailEnable Enterprise Edition prior to 1.21

 Affected Platform : Windows (Any).

 Solution : Apply the update, http://www.mailenable.com/hotfix/ME-10011.EXE
            OR
  	    Update to fixed versions,
 	    MailEnable Standard Edition version 1.94
	    http://www.mailenable.com/mailenablestandard.exe

  	    MailEnable Professional Edition version 1.74
	    http://www.mailenable.com/mailenableprof.exe

	    MailEnable Enterprise Edition version 1.22
	    http://www.mailenable.com/mailenableent.exe

 References : http://www.musecurity.com/MU-200603-01.txt
              http://www.frsirt.com/english/advisories/2006/1006
 
 CVSS Temporal Score :
	CVSS Base Score     : 7.0 (AV:R/AC:L/Au:NR/C:P/I:P/A:P/B:N)
	CVSS Temporal Score : 5.2
 Risk factor : Medium"; 
 script_description(english:desc["english"]);
 script_dependencies("smb_hotfixes.nasl",
		     "os2a_mailenable_version_601562.nasl");
 script_require_ports("Services/pop3", 110);
 script_require_keys("SMB/WindowsVersion");
 exit(0);
}


 include("pop3_func.inc");
 include("ntlmv2.inc");

 if(!get_kb_item("SMB/WindowsVersion")){
        exit(0);
 }
 
 # Check for POP3 Port
 port = get_kb_item("Services/pop3");
 if(!port){
 	exit(0);
 }
 
 # Check for MailEnable POP3 banner.
 mePop3Banner = get_pop3_banner(port:port);
 if("MailEnable POP3 Server" >!< mePop3Banner){
	exit(0);
 }
 
 # Check for the vulnerable version of MailEnable Enterprise Edition
 mailenbEntVer = get_kb_item("MailEnable/Ent/Version");
 if(mailenbEntVer)
 {
	if(egrep(pattern:"^(0\..*|1\.(0|[0-1][0-9]?|2[0]?)|2\.0)$",
		 string:mailenbEntVer))
	{
		# Check if hotfix is applied.
		hotfix = cx_registry_get_dword(
			key:"SOFTWARE\Mail Enable\Mail Enable\Updates\ME-10011",
                        item:"Status");

        	if(hotfix != 1){
			security_warning(port);
		}
		exit(0);
	}
 }

 # Check for the vulnerable version of MailEnable Professional Edition
 mailenbProVer = get_kb_item("MailEnable/Proff/Version");
 if(mailenbProVer)
 {
	if(egrep(pattern:"^(0\..*|1\.(0[0-9]|[0-6][0-9]?|7[0-2]?|[89])|2\.0)$",
		 string:mailenbProVer))
	{
		# Check if hotfix is applied.
		hotfix = cx_registry_get_dword(
			key:"SOFTWARE\Mail Enable\Mail Enable\Updates\ME-10011",
                        item:"Status");

        	if(hotfix != 1){
			security_warning(port);
                }
		exit(0);
	}
 }

 # Check for the vulnerable version of MailEnable Standard Edition
 mailenbStdVer = get_kb_item("MailEnable/Std/Version");
 if(mailenbStdVer)
 {
	if(egrep(pattern:"^(0\..*|1\.(0[0-9]|[0-8][0-9]?|9[0-2]?))$",
        	string:mailenbStdVer))
	{
		# Check if hotfix is applied.
                hotfix = cx_registry_get_dword(
			key:"SOFTWARE\Mail Enable\Mail Enable\Updates\ME-10011",
                        item:"Status");

		if(hotfix != 1){
			security_warning(port);
                }
		exit(0);
	}
 }