Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: mdaemon WinNT and Win9x remote DoS
From: Craig (CraigFREENET.DE)
Date: Fri Jun 16 2000 - 15:08:44 CDT

mdaemon remote DoS

WinNT version:
vulnerable (Tested on a K5-166 with 32MB RAM, WinNT sp6a)

Win9x version:
vulnerable (Tested on K7-500 with 128MB RAM, Win98SE and on K5-166 with
32MB RAM, Win95)

mdaemon 3.0.4 on Win98SE, K7-500, 128MB RAM: not vulnerable

A single user was not able to receive eMail - after the password was send,
the mail client just haltet, and did nothing till the timeout.

I tried to find the error, by using netcat to enter the commands on my
own and find out, whats wrong. Playing around something strange happened:

netcat 110
+OK Server1 POP service ready using UNREGISTERED SOFTWARE [1] MDaemon
v2.8.5.0 T

User User1
+OK User1... Recipient ok
pass yaddayadda
-ERR that command is valid only in the AUTHORIZATION state!
-ERR unknown POP command!
+OK User1 Server1 POP Server signing off (mailbox empty)


MDaemon crashed after leaving, showing 2 popups.

If you try to verify this, write a input file:

User User1
pass yaddayadda
{just press ENTER}
netcat [Server_to_test] 110 <inputfile

You need to send the commands fast! The more messages you send, the more
time you
got to crash the server; you need to send all the commands before the
status of the
mailbox is shown ("+OK User1's mailbox has 3600 total messages (1018800
When you see that message, it is to late...

If there are too many files in a users directory (e.g.
\mdaemon\users\User1") the Server
needs a long time to read them (for the report - uidl), and the clients got
because it takes a long time.

Some people who were mailbombed could have the problem of not being able to
receive their messages and could think their account was deleted or the
password was changed.



P.S.:English is not my mother language...