====================================================================== Defcom Labs Advisory def-2000-03 MDaemon 3.5.0 DoS Author: Peter Gründl Release Date: 2000-12-19 ====================================================================== ------------------------=[Brief Description]=------------------------- MDaemon has some problems handling buffers within the IMAP and webconfig services. The result is that a malicious user can bring down several services (including SMTP and POP3). ------------------------=[Affected Systems]=-------------------------- MDaemon 3.5.0 for Windows NT installed on either Windows NT 4.0 or Windows 2000. ----------------------=[Detailed Description]=------------------------ Sending a long string (eg. 30K) followed by \r\n to port 143 would cause the MDaemon service to crash and would additionally bring down the services on ports 25, 110, 366 (default installation). An old flaw has been reintroduced into MDaemon (originally discovered by USSR Labs: http://www.ussrback.com/labs15.html). The Webconfig service (port 3001) is vulnerable to a long url attack. The size is 242-4077 chars. registers are overwritten at following offsets (242-249 results in missing values being overwritten with hex 00): EDI: (250:249:248:247) & ECX: (254.253.252.251) ---------------------------=[Workaround]=----------------------------- Upgrade to MDaemon 3.5.1.0: http://mdaemon.deerfield.com/download/getmdaemon.cfm -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 14th of November, and notification of a fix was received by Defcom on the 15th of December. ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================