MDaemon IMAP FETCH command buffer overflow

2008-03-31T00:00:00
ID SAINT:ACDEEB9EFCC633D6DEE7BE7D6E112846
Type saint
Reporter SAINT Corporation
Modified 2008-03-31T00:00:00

Description

Added: 03/31/2008
CVE: CVE-2008-1358
BID: 28245
OSVDB: 43111

Background

MDaemon is an e-mail server for Windows.

Problem

A buffer overflow vulnerability in the IMAP service allows authenticated users to execute arbitrary commands by sending a **FETCH** command with a long **BODY**.

Resolution

Upgrade to MDaemon 9.6.5.

References

<http://secunia.com/advisories/29382/>

Limitations

Exploit works on MDaemon 9.6.4 and requires the login and password of a valid IMAP user.

Platforms

Windows 2000
Windows Server 2003