[VulnWatch] Buffer Overflow Vulnerability Found in IMAP4 MDaemon 6 - [EXAMINE]

From: Dennis Rand (der_at_infowarfare.dk)
Date: 07/13/03

  • Next message: Janusz Niewiadomski: "[VulnWatch] Linux nfs-utils xlog() off-by-one bug"
    To: "Vulnwatch@Vulnwatch. Org" <vulnwatch@vulnwatch.org>, "Bugs@Securitytracker. Com" <bugs@securitytracker.com>, <bugtraq@securityfocus.com>, "News@Securiteam. Com" <news@securiteam.com>, "Vuln@Secunia. Dk" <vuln@secunia.dk>
    Date: Sun, 13 Jul 2003 10:56:56 +0200

                            Buffer Overflow Vulnerability
                              Found in IMAP4 MDaemon 6
                              Discovered by Dennis Rand

    MDaemon offers a full range of mail server functionality.
    MDaemon protects your users from spam and viruses, provides
    Full security, includes seamless web access to your email via
    WorldClient, remote administration, and much more.

    The problem is a Buffer Overflow in the IMAP4 protocol, within the
    IMAP4rev1 MDaemon 6.7.9, causing the service to shutdown.
    And the exception handler on the stack is overwritten allowing
    A system compromise with code execution running as SYSTEM.

    Vulnerable systems:
     * IMAP4rev1 MDaemon 6.7.9

    Immune systems:
     * IMAP4rev1 MDaemon 6.8.0

    Medium/High - An attacker is able to cause a Buffer Overflow attack on the
    IMAP protocol
                  And the exception handler on the stack is overwritten allowing

                  A system compromise with code execution running as SYSTEM.
                  The reason this is also a medium is that and attacker has to
    have a
                  Login on the system to conduct this type of attack.


    The Vulnerability is a Buffer Overflow in the IMAP4rev1 MDaemon 6.7.9
    When a malicious attacker sends a large amount into the EXAMINE buffer
    Will overflow. Sending to many bytes into the buffer will cause the server
    To reject the request and nothing will happen.

    The following transcript demonstrates a sample exploitation of the
    ----------------------------- [Transcript] -----------------------------
    nc infowarfare.dk 143
    * OK IMAP4rev1 MDaemon 6.7.9
    0000 OK CAPABILITY completed
    0001 LOGIN "RealUser@infowarfare.dk" "HereIsMyPassword"
    0001 OK User authenticated.
    0002 EXAMINE "aaa...[2500 Bytes]...aaaa"
    ----------------------------- [Transcript] -----------------------------

    ---------------------------- [Exploit Code] ----------------------------
    ---------------------------- [Exploit Code] ----------------------------

    When this attack is preformed the management window will close, if
    it is open. The tray icon will remain until the mouse is moved over it,
    then it will disappear.
    In the event log an error occurs with the following text:
    The MDeamon service terminated unexpectedly. It has done this 1 time(s)
    The following corrective action will be taken in 0 milliseconds. No Action.

    The service has to be started manually, before working properly.

    IMAP4rev1 MDaemon 6.7.8 is vulnerable to the above-described attacks.
    Earlier versions may be susceptible as well. To determine if a specific
    implementation is vulnerable, experiment by following the above transcript.

    -----[WORK AROUNDS
    Upgrade higher then 6.7.9

    Hi Dennis
    This problem should have been fixed in 6.8.0.
    In the release notes:
     o fix to IMAP CREATE buffer overflow vulnerability
    Could you please run Nessus (if that's what you are using) against 6.8.0 to
    confirm that the problem has been resolved?

    01/07/2003 Found the Vulnerability, and made an analysis.
    01/07/2003 Reported to Vendor
    04/07/2003 Recived response from vendor
    13/07/2003 Public Disclosure.

    The vulnerability was discovered and reported by <der@infowarfare.dk> Dennis

    The information in this bulletin is provided "AS IS" without warranty of any
    In no event shall we be liable for any damages whatsoever including direct,
    incidental, consequential, loss of business profits or special damages.

  • Next message: Janusz Niewiadomski: "[VulnWatch] Linux nfs-utils xlog() off-by-one bug"