lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040314193809.6627.qmail@www.securityfocus.com>
Date: 14 Mar 2004 19:38:09 -0000
From: Angelo Rosiello <angelo.rosiello@...amail.com>
To: bugtraq@...urityfocus.com
Subject: Rosiello Security's exploit for MDaemon





                            © Rosiello Security

                          http://www.rosiello.org


Bug found by hat-squad security. 
Background by securiteam.com

MDaemon offers a full range of mail server functionality. MDaemon protects your users from spam and viruses, provides full security, includes seamless web access to your email via WorldClient, remote administration, and much more!".FORM2RAW.exe is a CGI that allows users to send emails using the MDaemon via a web page. It processes the fields of an HTML form and creates a raw message file in the raw queue directory of MDaemon mail server. This file then will be processed and queued for delivery by MDaemon. An attacker can cause a buffer overflow in MDaemon by issuing a malformed CGI request to FORM2RAW.exe.

According to the Help file "By default, MDaemon 6.52 or higher will not send emails created by Form2Raw unless the email address passed in the 'from' tag (see below) is a valid account on the MDaemon server. If you want to disable this behavior you can set the FromCheck=No in FORM2RAW.INI file". 

Sending more than 153 bytes in the "From" field to FROM2Raw.exe creates a raw file that when processed by MDaemon will cause a Stack buffer overflow. The EIP register will be overwritten when the From field length is 249 bytes 


ADVISORY: http://www.rosiello.org/en/read_bugs.php?17
EXPLOIT: http://www.rosiello.org/archivio/mdaemon-exploit.c

The exploit has only been tested on Windows XP Home and pro edition (dutch) sp1. 
The demo mode of the exploit shows in the debugger the following
EAX = 00000000 EBX = 00000000 ECX = 014D1BD8 
EDX = 01090000 ESI = 014C6000 EDI = 01AEF1A8
EIP = 42424242 ESP = 01AEEEE8 EBP = 0005E668

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ