[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Mdaemon Web Services Heap Overflow DoS

Title: Mdaemon Web Services Heap Overflow DoS
Released by: Vigilante
Date: 18th September 2000
Printable version: Click here 
Mdaemon Web Services Heap Overflow DoS



Advisory Code:   VIGILANTE-2000012



Release Date:

September 18, 2000



Systems Affected:

- Mdaemon 3.1.1 for Windows NT

It is likely that older versions are also affected.



THE PROBLEM

We want to start off by pointing out that this is not the same problem

as was initially reported by USSR labs in Mdaemon 2.8.5.0:

http://www.ussrback.com/labs15.html.



The Mdaemon Worldclient on TCP port 3000 and the Mdaemon Webconfig on

TCP port 3001 both contain the same vulnerability. If a certain request

is sent to the web service, it results in a heap overflow, crashing the

service with a Dr. Watson access violation.



This appears to be a general problem in the way that Mdaemon handles

these kinds of URLs, so if other Mdaemon web services are used, those

are probably vulnerable as well. The reason that the before mentioned

services were tested is that they are enabled in a default installation.



A Side Note:

Even though this is "only" a Denial of Service, the fact is that it is

a heap overflow, and with several registers overwritten in a process

owned by LocalSystem, there is a possibility that it could be exploited

to gain elevated privileges on the host.



Vendor Status:

The vendor was contacted on the 12th of September and the vulnerability

was verified by them the following day. The fix was officially released

on the 14th of September. It's nice to see the vendor react so quickly.





Fix:

The fix is to upgrade to version 3.1.12, which can be found here:

http://ftp.altn.com/MDaemon/Release/md312.exe





Vendor   URL: http://www.altn.com

Product  URL: http://www.mdaemon.com

Copyright VIGILANTe 2000-09-12



Disclaimer:

The information within this document may change without notice. Use of

this information constitutes acceptance for use in an AS IS

condition. There are NO warranties with regard to this information.

In no event shall the author be liable for any consequences whatsoever

arising out of or in connection with the use or spread of this

information. Any use of this information lays within the user's

responsibility.



Feedback:

Please send suggestions, updates, and comments to:



VIGILANTe

mailto: isis@vigilante.com

http://www.vigilante.com






(C) 1999-2000 All rights reserved.