Bugtraq mailing list archives
DoS (and possibly more) on MDaemon for NT/95
From: alvaro-bugtraq () LANDER ES (Alvaro Martinez Echevarria)
Date: Wed, 11 Mar 1998 05:33:53 +0100
Hi there.
Around a month ago I sent the following message to
sales () mdaemon com. In a few words: there's a security problem in
the SMTP/POP/WebPop software they provide for evaluation (and
probably also in the commercial version they sell, see
www.mdaemon.com), that lets you kill SMTP and POP services
provided that you can connect to a sort of configuration port the
programs use (in the configuration I tested the port was N+1, for
N being the port used by WebPop). My knowledge on Windoze
asymptotically approaches zero, so I cannot give much more
details. I haven't received any interesting message from
@mdaemon.com, apart from "we'll forward this information to our
developers" (?); and I've seen nothing related to this security
problem in their web so far, so the time has come to post to
bugtraq, I guess. Possible workaround: block that port using a
firewall. Just in case anyone out there is crazy enough to use
this thing ;-).
Regards.
.------------------------------------------------------------------.
| Alvaro Martínez Echevarría | LANDER SISTEMAS |
| alvaro () lander es | Pº Castellana, 121 |
`--------------------------------| 28046 Madrid, SPAIN |
| Tel: +34-1-5562883 |
| Fax: +34-1-5563001 |
`---------------------------------'
---------- Forwarded message ----------
From: Alvaro Martinez Echevarria <alvaro () lander es>
To: sales () mdaemon com
Date: Sun, 15 Feb 1998 19:59:03 +0100 (CET)
Subject: DoS attack on MDaemon
Hi there.
I have found a really easy to use DoS attack on your MDaemon
server, which some people here in my company have been evaluating.
They asked me to take a look at the security of the product, and
the very first thing I tried just brought the SMTP/POP services down.
It was easy: I connected to a port whose greeting says "+OK
xxx.xxx MDCONFIG Interface Ready", and after some trial and
error this is what I found:
VERS 3.0
+OK MDConfig v3.0 acceptable.
USER aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]
The "a" here needs to be repeated a lot of times, say 2000. And
after that, voilà: "Connection closed by foreign host" and let die
the SMTP and POP services. As you should know, this same bug
could be used in a more clever way to execute arbitrary code in
any server that is using your MDaemon software. I think you
should correct this problem right away, and pay more attention
to bounds checking in your future development.
Regards.
Current thread:
- the purpose of dynamic memory allocation D. J. Bernstein (Mar 04)
- Re: the purpose of dynamic memory allocation sinster () DARKWATER COM (Mar 05)
- New OpenBSD security web page Theo de Raadt (Mar 06)
- <Possible follow-ups>
- Re: the purpose of dynamic memory allocation tqbf () secnet com (Mar 06)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Re: Possible Bug in CDE on HP-UX Jeremy Brinkley (Mar 10)
- Re: the purpose of dynamic memory allocation David LeBlanc (Mar 10)
- Re: the purpose of dynamic memory allocation Jeffrey Hutzelman (Mar 10)
- Re: the purpose of dynamic memory allocation Alan Cox (Mar 11)
- DoS (and possibly more) on MDaemon for NT/95 Alvaro Martinez Echevarria (Mar 10)
- MDaemon SMTP Server Buffer Overflow's Aleph One (Mar 10)
- Security problem in Slackware. Suman_Saraf (Mar 11)
- Re: Security problem in Slackware. Peter van Dijk (Mar 13)
- /tmp event logger Michal Zalewski (Mar 14)
- Re: /tmp event logger Theo de Raadt (Mar 15)
- Possible Bug in CDE on HP-UX gareth greenaway (Mar 09)
- Vunerable shell scripts Michal Zalewski (Mar 14)
- More broadcast fun T. Freak (Mar 14)
- Midnight Commander /tmp race Michal Zalewski (Mar 15)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 17)
- Re: Midnight Commander /tmp race willy () SNOWYOWL CSU AC RU (Mar 17)