COMMAND

    Mdaemon

SYSTEMS AFFECTED

    Mdaemon 3.1.1 for Windows NT (older too?)

PROBLEM

    Following is  based on  VIGILANTE-2000012 Security  Advisory.   We
    want  to  start  off  by  pointing  out  that this is not the same
    problem  as  was  initially  reported  by  USSR  labs  in  Mdaemon
    2.8.5.0.

    The Mdaemon Worldclient on TCP port 3000 and the Mdaemon Webconfig
    on  TCP  port  3001  both  contain  the  same vulnerability.  If a
    certain request is sent to the  web service, it results in a  heap
    overflow, crashing the service with a Dr. Watson access violation.

    This  appears  to  be  a  general  problem in the way that Mdaemon
    handles these kinds of URLs, so if other Mdaemon web services  are
    used, those are probably vulnerable as well.  The reason that  the
    before mentioned services were tested is that they are enabled  in
    a default installation.

    Even though this is "only" a  Denial of Service, the fact is  that
    it is a heap overflow,  and with several registers overwritten  in
    a process  owned by  LocalSystem, there  is a  possibility that it
    could be exploited to gain elevated privileges on the host.

SOLUTION

    The  vendor  was  contacted  on  the  12th  of  September  and the
    vulnerability was  verified by  them the  following day.   The fix
    was officially released  on the 14th  of September.   It's nice to
    see  the  vendor  react  so  quickly.   The  fix  is to upgrade to
    version 3.1.12, which can be found here:

        ftp://ftp.altn.com/MDaemon/Release/md312.exe