COMMAND

    MDaemon

SYSTEMS AFFECTED

    MDaemon 3.5.0

PROBLEM

    Following is based on a Defcom Labs Advisory def-2000-03 by  Peter
    Grundl.   MDaemon has  some problems  handling buffers  within the
    IMAP and webconfig services. The  result is that a malicious  user
    can bring down several services (including SMTP and POP3).

    Sending a long string (eg. 30K) followed by \r\n to port 143 would
    cause the MDaemon  service to crash  and would additionally  bring
    down the services on ports 25, 110, 366 (default installation).

    An  old  flaw  has  been  reintroduced  into  MDaemon   originally
    discovered by  USSR Labs.   The Webconfig  service (port  3001) is
    vulnerable to  a long  url attack.   The size  is 242-4077  chars.
    registers are  overwritten at  following offsets  (242-249 results
    in  missing  values   being  overwritten  with   hex  00):    EDI:
    (250:249:248:247) & ECX: (254.253.252.251)

SOLUTION

    Upgrade to MDaemon 3.5.1.0:

        http://mdaemon.deerfield.com/download/getmdaemon.cfm