[SELECT]
                        Buffer Overflow Vulnerability
                          Found in IMAP4 MDaemon 6
                           https://www.upstream.se
                         
                          Discovered by Dennis Rand
                             www.Infowarfare.dk
------------------------------------------------------------------------


-----[SUMMARY
MDaemon offers a full range of mail server functionality. 
MDaemon protects your users from spam and viruses, provides 
Full security, includes seamless web access to your email via 
WorldClient, remote administration, and much more. 

The problem is a Buffer Overflow in the IMAP4 protocol, within the 
IMAP4rev1 MDaemon 6.7.9, causing the service to shutdown.
And the exception handler on the stack is overwritten allowing 
A system compromise with code execution running as SYSTEM.



-----[AFFECTED SYSTEMS
Vulnerable systems:
 * IMAP4rev1 MDaemon 6.7.9

Immune systems:
 * IMAP4rev1 MDaemon 6.8.0

-----[SEVERITY
Medium/High - An attacker is able to cause a Buffer Overflow attack on the
IMAP protocol
              And the exception handler on the stack is overwritten allowing

              A system compromise with code execution running as SYSTEM.
              The reason this is also a medium is that and attacker has to
have a 
              Login on the system to conduct this type of attack.

         

-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the IMAP4rev1 MDaemon 6.7.9
When a malicious attacker sends a large amount into the SEARCH buffer
Will overflow. Sending to many bytes into the buffer will cause the server
To reject the request and nothing will happen. 


The following transcript demonstrates a sample exploitation of the 
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc infowarfare.dk 143
* OK IMAP4rev1 MDaemon 6.7.9
0000 CAPABILITY
* CAPABILITY IMAP4rev1 NAMESPACE AUTH=CRAM-MD5 IDLE ACL
0000 OK CAPABILITY completed
0001 LOGIN "RealUser@infowarfare.dk" "HereIsMyPassword"
0001 OK User authenticated.
0002 SELECT "aaa...[2500 Bytes]...aaaa"
----------------------------- [Transcript] -----------------------------

When this attack is preformed the management window will close, if 
it is open. The tray icon will remain until the mouse is moved over it,
then it will disappear.
In the event log an error occurs with the following text:
The MDeamon service terminated unexpectedly. It has done this 1 time(s)
The following corrective action will be taken in 0 milliseconds. No Action.

The service has to be started manually, before working properly.


-----[DETECTION
IMAP4rev1 MDaemon 6.7.9 is vulnerable to the above-described attacks. 
Earlier versions may be susceptible as well. To determine if a specific 
implementation is vulnerable, experiment by following the above transcript. 


-----[WORK AROUNDS
Upgrade higher then 6.7.9


-----[VENDOR RESPONSE
Hi Dennis
This problem should have been fixed in 6.8.0. 
In the release notes:
 o fix to IMAP CREATE buffer overflow vulnerability
Could you please run Nessus (if that's what you are using) against 6.8.0 to
confirm that the problem has been resolved?
Thanks
/George



-----[DISCLOSURE TIMELINE
01/07/2003 Found the Vulnerability, and made an analysis.
01/07/2003 Reported to Vendor
04/07/2003 Recived response from vendor
13/07/2003 Public Disclosure.


-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@infowarfare.dk> Dennis
Rand

-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of any
kind. 
In no event shall we be liable for any damages whatsoever including direct,
indirect, 
incidental, consequential, loss of business profits or special damages.