Vigilante Advisory #12 - Mdaemon 3.1.1 for Windows NT includes Webconfig and Worldclient which listen to TCP port 3000 and 3001. They both are vulnerable to a heap overflow vulnerability which could be used to execute arbitrary code. Fix available here.
9633e5d15d8fbf21e8c07e68f5b9143eb0b13c96a75fdb436fc56cddf57db245Mdaemon Web Services Heap Overflow DoS
Advisory Code: VIGILANTE-2000012
Release Date:
September 18, 2000
Systems Affected:
- Mdaemon 3.1.1 for Windows NT
It is likely that older versions are also affected.
THE PROBLEM
We want to start off by pointing out that this is not the same problem
as was initially reported by USSR labs in Mdaemon 2.8.5.0:
http://www.ussrback.com/labs15.html.
The Mdaemon Worldclient on TCP port 3000 and the Mdaemon Webconfig on
TCP port 3001 both contain the same vulnerability. If a certain request
is sent to the web service, it results in a heap overflow, crashing the
service with a Dr. Watson access violation.
This appears to be a general problem in the way that Mdaemon handles
these kinds of URLs, so if other Mdaemon web services are used, those
are probably vulnerable as well. The reason that the before mentioned
services were tested is that they are enabled in a default installation.
A Side Note:
Even though this is "only" a Denial of Service, the fact is that it is
a heap overflow, and with several registers overwritten in a process
owned by LocalSystem, there is a possibility that it could be exploited
to gain elevated privileges on the host.
Vendor Status:
The vendor was contacted on the 12th of September and the vulnerability
was verified by them the following day. The fix was officially released
on the 14th of September. It's nice to see the vendor react so quickly.
Fix:
The fix is to upgrade to version 3.1.12, which can be found here:
ftp://ftp.altn.com/MDaemon/Release/md312.exe
Vendor URL: http://www.altn.com
Product URL: http://www.mdaemon.com
Copyright VIGILANTe 2000-09-12
Disclaimer:
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.
Feedback:
Please send suggestions, updates, and comments to:
VIGILANTe
mailto: isis@vigilante.com
http://www.vigilante.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed