what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

INFIGO-2006-08-04.txt

INFIGO-2006-08-04.txt
Posted Aug 27, 2006
Authored by Leon Juranic | Site infigo.hr

During an audit, a critical vulnerability has been discovered in the MDaemon POP3 server. There is a buffer overflow vulnerability in 'USER' and 'APOP' command processing part of the Altn MDaemon POP3 server. The vulnerability can be triggered with providing a long string to USER or APOP commands with '@' characters included in the string. In this case, MDaemon will incorectly process the string and a heap overflow will happen as a result. To trigger the vulnerability, a few USER commands have to be sent to the POP3 Server. Sometimes (depending on the heap state and string length), it is even possible to redirect code execution directly to the supplied input buffer on the heap. MDaemon versions 8 and 9 are confirmed vulnerable.

tags | advisory, overflow, code execution
SHA-256 | d5c9043c3a5da6e06fbb9448e0ee6aac59f636527f57112ed1d576f7218e753d

INFIGO-2006-08-04.txt

Change Mirror Download

INFIGO IS Security Advisory #ADV-2006-08-04
http://www.infigo.hr/




Title: MDaemon POP3 server remote buffer overflow (preauth)
Advisory ID: INFIGO-2006-08-04
Date: 2006-08-21
Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-08-04
Impact: Remote code execution (preauth)
Risk Level: High
Vulnerability Type: Remote
Vendors Status: Vendor contacted on 4th May 2006




==[ Overview

MDaemon Server is a standards-based SMTP/POP/IMAP mail server that offers a
full range of mail server functionality. MDaemon is designed to manage the
email needs of any number of individual users and comes complete with a
powerful set of integrated tools for managing mail accounts and message
formats. MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server
complete with LDAP support, an integrated browser-based email client,
content filtering, spam filters, extensive security features, and more.
MDaemon can be found on http://www.altn.com/.



==[ Vulnerability

During an audit, a critical vulnerability has been discovered in the
MDaemon POP3 server. There is a buffer overflow vulnerability in 'USER'
and 'APOP' command processing part of the Altn MDaemon POP3 server.
The vulnerability can be triggered with providing a long string to USER or
APOP commands with '@' characters included in the string. In this case,
MDaemon will incorectly process the string and a heap overflow will happen
as a result. To trigger the vulnerability, a few USER commands have to be
sent to the POP3 Server. Sometimes (depending on the heap state and
string length), it is even possible to redirect code execution directly to
the supplied input buffer on the heap.



==[ Affected Version

The vulnerability has been identified in the latest MDaemon 8/9. All
previous versions are believed to be vulnerable as well.



==[ Fix

Vulnerability is fixed in MDaemon 9.06



==[ PoC Exploit

MDaemon POP3 server remote buffer overflow (preauth) PoC can be
downloaded from http://www.infigo.hr/files/mdaemon_poc.pl .



==[ Credits

Vulnerability discovered by Sasa Jusic <sasa.jusic@infigo.hr> and
Leon Juranic <leon.juranic@infigo.hr>



==[ INFIGO IS Security Contact

INFIGO IS,

WWW : http://www.infigo.hr
E-mail : infocus@infigo.hr
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close