© Rosiello Security
http://www.rosiello.org
Bug found by hat-squad security.
Background by securiteam.com
MDaemon offers a full range of mail server functionality. MDaemon protects your users from spam and viruses, provides full security, includes seamless web access to your email via WorldClient, remote administration, and much more!".FORM2RAW.exe is a CGI that allows users to send emails using the MDaemon via a web page. It processes the fields of an HTML form and creates a raw message file in the raw queue directory of MDaemon mail server. This file then will be processed and queued for delivery by MDaemon. An attacker can cause a buffer overflow in MDaemon by issuing a malformed CGI request to FORM2RAW.exe.
According to the Help file "By default, MDaemon 6.52 or higher will not send emails created by Form2Raw unless the email address passed in the 'from' tag (see below) is a valid account on the MDaemon server. If you want to disable this behavior you can set the FromCheck=No in FORM2RAW.INI file".
Sending more than 153 bytes in the "From" field to FROM2Raw.exe creates a raw file that when processed by MDaemon will cause a Stack buffer overflow. The EIP register will be overwritten when the From field length is 249 bytes
ADVISORY: http://www.rosiello.org/en/read_bugs.php?17
EXPLOIT: http://www.rosiello.org/archivio/mdaemon-exploit.c
The exploit has only been tested on Windows XP Home and pro edition (dutch) sp1.
The demo mode of the exploit shows in the debugger the following
EAX = 00000000 EBX = 00000000 ECX = 014D1BD8
EDX = 01090000 ESI = 014C6000 EDI = 01AEF1A8
EIP = 42424242 ESP = 01AEEEE8 EBP = 0005E668
