SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   MDaemon (Alt-N) Vendors:   Alt-N Technologies
MDaemon Buffer Overflow in USER and APOP Commands Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016729
SecurityTracker URL:  http://securitytracker.com/id/1016729
CVE Reference:   CVE-2006-4364   (Links to External Site)
Updated:  Jun 5 2008
Original Entry Date:  Aug 22 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): prior to 9.06
Description:   A vulnerability was reported in MDaemon. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted USER or APOP command value to the POP service to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.

A long string value containing '@' characters can trigger the overflow.

A demonstration exploit is available at:

http://www.infigo.hr/files/mdaemon_poc.pl

Sasa Jusic and Leon Juranic discovered this vulnerability.

The original advisory is available at:

http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-08-04

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (9.06).
Vendor URL:  www.altn.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  MDaemon POP3 server remote buffer overflow (preauth)


       INFIGO IS Security Advisory #ADV-2006-08-04
                             http://www.infigo.hr/




Title: MDaemon POP3 server remote buffer overflow (preauth)
Advisory ID: INFIGO-2006-08-04
Date: 2006-08-21
Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-08-04
Impact: Remote code execution (preauth)
Risk Level: High
Vulnerability Type: Remote
Vendors Status: Vendor contacted on 4th May 2006




==[ Overview

MDaemon Server is a standards-based SMTP/POP/IMAP mail server that offers a
full range of mail server functionality. MDaemon is designed to manage the
email needs of any number of individual users and comes complete with a 
powerful set of integrated tools for managing mail accounts and message 
formats. MDaemon offers a scalable SMTP, POP3, and IMAP4 mail server 
complete with LDAP support, an integrated browser-based email client, 
content filtering, spam filters, extensive security features, and more. 
MDaemon can be found on http://www.altn.com/.



==[ Vulnerability

During an audit, a critical vulnerability has been discovered in the
MDaemon POP3 server. There is a buffer overflow vulnerability in 'USER'
and 'APOP' command processing part of the Altn MDaemon POP3 server. 
The vulnerability can be triggered with providing a long string to USER or
APOP commands with '@' characters included in the string. In this case, 
MDaemon will incorectly process the string and a heap overflow will happen
as a result. To trigger the vulnerability, a few USER commands have to be
sent to the POP3 Server. Sometimes (depending on the heap state and
string length), it is even possible to redirect code execution directly to
the supplied input buffer on the heap.



==[ Affected Version

The vulnerability has been identified in the latest MDaemon 8/9. All
previous versions are believed to be vulnerable as well.



==[ Fix

Vulnerability is fixed in MDaemon 9.06



==[ PoC Exploit

MDaemon POP3 server remote buffer overflow (preauth) PoC can be
downloaded from http://www.infigo.hr/files/mdaemon_poc.pl .



==[ Credits

Vulnerability discovered by Sasa Jusic <sasa.jusic@infigo.hr> and
Leon Juranic <leon.juranic@infigo.hr>



==[ INFIGO IS Security Contact

INFIGO IS,

WWW : http://www.infigo.hr
E-mail : infocus@infigo.hr

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC