Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

MDaemon 5.0.5 authentication vulnerability

From: "Buckaroo Banzai" <buckaner0 () terra es>
Date: Sat, 9 Aug 2003 01:59:59 +0200


Hello,

There is a security problem on MDaemon 5.0.5 (maybe other versions 
affected as well) regarding smtp authentication.


Blank password authenticates any valid user:

For primary domain:
User:           VALIDUSER       or      VALIDUSER () primaridomain com
Password:       blank password

For secondary domains:
User:           VALIDUSER () secondarydomain com
Password:       blank password


Using this vulnerability Spammers could abuse server even if relay control is 
properly configured. To abuse the server there is no need to get the 
userlist.dat and decode the well known weak encryption of MDeamon 5.0.6 
and before (base64 encoded password plus one offset for each character 
(1byte)).


If a valid user is required you could always built-in account "MDaemon" and 
the default password (see references) or blank password. You could also try 
with well known accounts (administrator, webmaster, info, spam, admin, etc.)


Sample session:

220 xxx.com ESMTP MDaemon 5.0.5; Sat, 02 Aug 2003 00:51:06 +0200
EHLO localhost
250-xxx.com Hello localhost, pleased to meet you
250-ETRN
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250 SIZE 0
AUTH LOGIN
334 VXNlcm5hbWU6               (334 Username:)
TURhZW1vbg==                      (MDaemon)
334 UGFzc3dvcmQ6               (334 Password:)
                                             (blank password)
235 Authentication successful



Buckaroo Banzai

PD: The bug has been submited to ALT-N


References: related security issues regarding MDaemon 5
-------------------------------------------------------
http://www.securityfocus.com/bid/4689
http://www.securityfocus.com/bid/4686
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0057.html
Previous By Date Next
Previous By Thread Next

Current thread: