From peter.grundl@DEFCOM.COM Thu Dec 21 02:29:25 2000 From: "Peter [iso-8859-1] Gründl" X-Sender: prg@astral.defcom.com To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 19 Dec 2000 13:33:15 +0100 Subject: [BUGTRAQ] def-2000-03: MDaemon 3.5.0 DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Defcom Labs Advisory def-2000-03 MDaemon 3.5.0 DoS Author: Peter Gründl Release Date: 2000-12-19 ====================================================================== ------------------------=[Brief Description]=------------------------- MDaemon has some problems handling buffers within the IMAP and webconfig services. The result is that a malicious user can bring down several services (including SMTP and POP3). ------------------------=[Affected Systems]=-------------------------- MDaemon 3.5.0 for Windows NT installed on either Windows NT 4.0 or Windows 2000. ----------------------=[Detailed Description]=------------------------ Sending a long string (eg. 30K) followed by \r\n to port 143 would cause the MDaemon service to crash and would additionally bring down the services on ports 25, 110, 366 (default installation). An old flaw has been reintroduced into MDaemon (originally discovered by USSR Labs: http://www.ussrback.com/labs15.html). The Webconfig service (port 3001) is vulnerable to a long url attack. The size is 242-4077 chars. registers are overwritten at following offsets (242-249 results in missing values being overwritten with hex 00): EDI: (250:249:248:247) & ECX: (254.253.252.251) ---------------------------=[Workaround]=----------------------------- Upgrade to MDaemon 3.5.1.0: http://mdaemon.deerfield.com/download/getmdaemon.cfm -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendor's attention on the 14th of November, and notification of a fix was received by Defcom on the 15th of December. ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================