======================================================================
                   Defcom Labs Advisory def-2000-03

                        MDaemon 3.5.0 DoS

Author: Peter Gründl <peter.grundl@defcom.com>
Release Date: 2000-12-19
======================================================================
------------------------=[Brief Description]=-------------------------
MDaemon has some problems handling buffers within the IMAP and
webconfig services. The result is that a malicious user can bring down
several services (including SMTP and POP3).

------------------------=[Affected Systems]=--------------------------
MDaemon 3.5.0 for Windows NT installed on either Windows NT 4.0 or
Windows 2000.

----------------------=[Detailed Description]=------------------------
Sending a long string (eg. 30K) followed by \r\n to port 143 would
cause the MDaemon service to crash and would additionally bring down
the services on ports 25, 110, 366 (default installation).

An old flaw has been reintroduced into MDaemon (originally discovered
by USSR Labs: http://www.ussrback.com/labs15.html). The Webconfig
service (port 3001) is vulnerable to a long url attack. The size is
242-4077 chars. registers are overwritten at following offsets
(242-249 results in missing values being overwritten with hex 00):
EDI: (250:249:248:247) & ECX: (254.253.252.251)

---------------------------=[Workaround]=-----------------------------
Upgrade to MDaemon 3.5.1.0:
http://mdaemon.deerfield.com/download/getmdaemon.cfm

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 14th of
November, and notification of a fix was received by Defcom on the 15th
of December.

======================================================================
             This release was brought to you by Defcom Labs

               labs@defcom.com             www.defcom.com
======================================================================