Buffer Overflow Vulnerability Found in IMAP4 MDaemon 6 http://www.upstream.se Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY MDaemon offers a full range of mail server functionality. MDaemon protects your users from spam and viruses, provides Full security, includes seamless web access to your email via WorldClient, remote administration, and much more. The problem is a Buffer Overflow in the IMAP4 protocol, within the IMAP4rev1 MDaemon 6.7.9, causing the service to shutdown. And the exception handler on the stack is overwritten allowing A system compromise with code execution running as SYSTEM. -----[AFFECTED SYSTEMS Vulnerable systems: * IMAP4rev1 MDaemon 6.7.9 Immune systems: * IMAP4rev1 MDaemon 6.8.0 -----[SEVERITY Medium/High - An attacker is able to cause a Buffer Overflow attack on the IMAP protocol And the exception handler on the stack is overwritten allowing A system compromise with code execution running as SYSTEM. The reason this is also a medium is that and attacker has to have a Login on the system to conduct this type of attack. -----[DESCRIPTION OF WHAT THE VULNERABILITY IS The Vulnerability is a Buffer Overflow in the IMAP4rev1 MDaemon 6.7.8 When a malicious attacker sends a large amount into the CREATE the buffer Will overflow. Sending to many bytes into the buffer will cause the server To reject the request and nothing will happen. The following transcript demonstrates a sample exploitation of the Vulnerabilities: ----------------------------- [Transcript] ----------------------------- nc somewhere.dk 143 * OK IMAP4rev1 MDaemon 6.7.9 0000 CAPABILITY * CAPABILITY IMAP4rev1 NAMESPACE AUTH=CRAM-MD5 IDLE ACL 0000 OK CAPABILITY completed 0001 LOGIN "RealUser@somewhere.dk" "HereIsMyPassword" 0001 OK User authenticated. 0002 CREATE "aaa...[2000]...aaaa" ----------------------------- [Transcript] ----------------------------- When this attack is preformed the management window will close, if it is open. The tray icon will remain until the mouse is moved over it, then it will disappear. In the event log an error occurs with the following text: The MDeamon service terminated unexpectedly. It has done this 1 time(s) The following corrective action will be taken in 0 milliseconds. No Action. The service has to be started manually, before working properly. -----[DETECTION IMAP4rev1 MDaemon 6.7.9 is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[WORK AROUNDS Upgrade higher then 6.7.9 -----[VENDOR RESPONSE Hi Dennis This problem should have been fixed in 6.8.0. In the release notes: o fix to IMAP CREATE buffer overflow vulnerability Could you please run Nessus (if that's what you are using) against 6.8.0 to confirm that the problem has been resolved? Thanks /George -----[DISCLOSURE TIMELINE 20/04/2003 Found the Vulnerability, and made an analysis. 20/04/2003 Reported to Vendor 27/04/2003 Recived response from Vendor 05/05/2003 Public Disclosure. -----[ADDITIONAL INFORMATION The vulnerability was discovered and reported by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.