###########################

# MailEnable Local Privilege Escalation Vulnerability

###########################

[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MAILENABLE-MULTIPLE-PRIVILEGE-ESCALATIONS.txt
[+] ISR: ApparitionSec



Vendor:
===================
www.mailenable.com



Products:
============
MailEnable


MailEnable provides Windows Mail Server software with features comparable
to Microsoft Exchange. It provides powerful messaging services
like Exchange ActiveSync, IMAP, SMTP, POP3 and collaboration tools such as
calendaring (CalDAV), contacts (CardDAV), tasks and notes.



Vulnerability Type:
===================
Local Privilege Escalation (Unquoted Service Path)



CVE Reference:
==============
N/A



Security Issue:
==================

The following MailEnable product services contain multiple local privilege
escalation vectors, potentially allowing unprivileged user to
gain code execution as SYSTEM via unquoted service paths.

Reference:
https://www.mailenable.com/Standard-ReleaseNotes.txt


c:\>sc qc MELCS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MELCS
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files (x86)\Mail
Enable\Bin64\MELSC.EXE
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : MailEnable List Connector
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem



c:\>sc qc MEMTAS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEMTAS
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files (x86)\Mail
Enable\Bin64\MEMTA.EXE
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : MailEnable Mail Transfer Agent
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem



c:\>sc qc MEPOPS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEPOPS
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files (x86)\Mail
Enable\Bin64\MEPOPS.EXE
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : MailEnable POP Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


c:\>sc qc MEPOCS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MEPOCS
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files (x86)\Mail
Enable\Bin64\MEPOC.EXE
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : MailEnable Postoffice Connector
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem



c:\>sc qc MESMTPCS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MESMTPCS
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : C:\Program Files (x86)\Mail
Enable\Bin64\MESMTPC.EXE
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : MailEnable SMTP Connector
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem






Disclosure Timeline:
=====================================
Vendor Notification: January 5, 2017
Vendor Acknowledgement: January 5, 2017
Vendor Fix: January 5, 2017
February 12, 2017 : Public Disclosure



Exploit/POC:
============

1) Create EXE named 'Program.exe'


2) Inject 'Program.exe' into the path of the service. After service restart
or system reboot, authorized local user can
then execute arbitrary code with elevated privileges as SYSTEM.




Network Access:
===============
Local



Severity:
=========
Medium




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2017-02-17]

###########################