|
Bugtraq
mailing list archives
Rosiello Security's exploit for MDaemon
From: Angelo Rosiello <angelo.rosiello () katamail com>
Date: 14 Mar 2004 19:38:09 -0000
© Rosiello Security
http://www.rosiello.org
Bug found by hat-squad security.
Background by securiteam.com
MDaemon offers a full range of mail server functionality. MDaemon protects your users from spam and viruses, provides
full security, includes seamless web access to your email via WorldClient, remote administration, and much
more!".FORM2RAW.exe is a CGI that allows users to send emails using the MDaemon via a web page. It processes the fields
of an HTML form and creates a raw message file in the raw queue directory of MDaemon mail server. This file then will
be processed and queued for delivery by MDaemon. An attacker can cause a buffer overflow in MDaemon by issuing a
malformed CGI request to FORM2RAW.exe.
According to the Help file "By default, MDaemon 6.52 or higher will not send emails created by Form2Raw unless the
email address passed in the 'from' tag (see below) is a valid account on the MDaemon server. If you want to disable
this behavior you can set the FromCheck=No in FORM2RAW.INI file".
Sending more than 153 bytes in the "From" field to FROM2Raw.exe creates a raw file that when processed by MDaemon will
cause a Stack buffer overflow. The EIP register will be overwritten when the From field length is 249 bytes
ADVISORY: http://www.rosiello.org/en/read_bugs.php?17
EXPLOIT: http://www.rosiello.org/archivio/mdaemon-exploit.c
The exploit has only been tested on Windows XP Home and pro edition (dutch) sp1.
The demo mode of the exploit shows in the debugger the following
EAX = 00000000 EBX = 00000000 ECX = 014D1BD8
EDX = 01090000 ESI = 014C6000 EDI = 01AEF1A8
EIP = 42424242 ESP = 01AEEEE8 EBP = 0005E668
 By Date 
By Thread
Current thread:
- Rosiello Security's exploit for MDaemon Angelo Rosiello (Mar 15)
|
Intro
