COMMAND

    MDaemon

SYSTEMS AFFECTED

    MDaemon

PROBLEM

    Mohamed Riyad found  following.  MDaemon  mail server for  Windows
    comes  with  a  utility  called  MDConfig to remotely administer a
    MDaemon server.   To establish  MDConfig connection  to a  MDaemon
    server,  an  administrator  must  enable  MDConfig  server  on the
    server machine.   Connection will be  established on a  predefined
    TCP  port,  by  default  3002.  Connection procedure is similar to
    these:

        --> telnet servernameORipaddress 3002
        +OK domainname MDCONFIG interface ready
        --> VERS {ENTER}
        -ERR MDConfig v3.5.0 required   (we identify the server version here, connection closed)

    Try to connect again:

        --> telnet servernameORipaddress 3002
        +OK domainname MDCONFIG interface ready
        --> VERS MDConfig v3.5.0 {ENTER}
        +OK MDConfig v3.5.0 acceptable  (Connection established)
        ---> USER anyname
        +OK <anyname> got it

    Here just wait  without giving any  password.  The  server will be
    waiting  until  either  the  correct  password  is  entered or the
    inactivity  timeout  period  (possibly  10  minutes).  During this
    period you can press ENTER to avoid timeout problem.  Inactitivity
    time will be reset back to 10 minutes and restart countdown.

    OK, the problem  or the possible  DOS attack on  MDConfig is here.
    Now  open  another  telnet  session  and  try  to  connect.    The
    connection will be refused.

    So,  malicious user can  esatablish a connection and maintain  the
    link and any MDaemon  administrator who try remote  administer the
    server will  be refused  connection.   Isn't it  bit annoying  and
    ALT+N must take care of it?

SOLUTION

    Nothing yet.