Reported March 15, 2001, by Defcom Labs.

VERSIONS AFFECTED

  • Mdaemon Standard 3.5.4 email server for Windows 2000 and NT

  • Mdaemon Pro 3.5.4 email server for Windows 2000 and NT

DESCRIPTION

A Denial of Service (DoS) condition exists in MDaemon email server wherein an attacker can crash the MDaemon package using a malicious URL request. The problem lies in the way Mdaemon handles URL requests referencing a DOS (Disk Operating System) device, such as requesting the URL of http://www.mail.vulnerableserver.com/aux. This vulnerability will crash the server, resulting in the need to restart it from the Mdaemon console.

 

VENDOR RESPONSE

 

The vendor, Deerfield.com, has issued a fix in release 3.5.6, which is available from the vendor’s Web site.

 

CREDIT

Discovered by Peter Gründl.