Vulnerabilities > CVE-2003-1200 - Buffer Overflow vulnerability in Alt-N MDaemon/WorldClient Form2Raw Raw Message Handler
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Stack-based buffer overflow in FORM2RAW.exe in Alt-N MDaemon 6.5.2 through 6.8.5 allows remote attackers to execute arbitrary code via a long From parameter to Form2Raw.cgi.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 9 |
Exploit-Db
description Alt-N MDaemon 6.x/WorldClient Form2Raw Raw Message Handler Buffer Overflow Vulnerability (1). CVE-2003-1200. Dos exploit for windows platform id EDB-ID:23501 last seen 2016-02-02 modified 2003-12-29 published 2003-12-29 reporter Behrang Fouladi source https://www.exploit-db.com/download/23501/ title Alt-N MDaemon 6.x/WorldClient Form2Raw Raw Message Handler Buffer Overflow Vulnerability 1 description MDaemon. CVE-2003-1200. Remote exploit for windows platform id EDB-ID:16812 last seen 2016-02-02 modified 2010-07-01 published 2010-07-01 reporter metasploit source https://www.exploit-db.com/download/16812/ title MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow description Alt-N MDaemon 6.x/WorldClient Form2Raw Raw Message Handler Buffer Overflow Vulnerability (2). CVE-2003-1200. Remote exploit for windows platform id EDB-ID:23502 last seen 2016-02-02 modified 2003-12-29 published 2003-12-29 reporter Rosiello Security source https://www.exploit-db.com/download/23502/ title Alt-N MDaemon 6.x/WorldClient Form2Raw Raw Message Handler Buffer Overflow Vulnerability 2
Metasploit
| description | This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default), a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe, by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default), the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based overflow occurs when an excessively long From field is specified. The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes. Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait. Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will continue to crash/execute the payload until the CGI output is manually deleted from the queue in C:\MDaemon\RawFiles\\*.raw. |
| id | MSF:EXPLOIT/WINDOWS/HTTP/MDAEMON_WORLDCLIENT_FORM2RAW |
| last seen | 2020-03-11 |
| modified | 2017-11-08 |
| published | 2009-07-03 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1200 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb |
| title | MDaemon WorldClient form2raw.cgi Stack Buffer Overflow |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/83045/mdaemon_worldclient_form2raw.rb.txt |
| id | PACKETSTORM:83045 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | patrick |
| source | https://packetstormsecurity.com/files/83045/MDaemon-6.8.5-WorldClient-form2raw.cgi-Stack-Overflow.html |
| title | MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Overflow |
Saint
| bid | 9317 |
| description | MDaemon WorldClient form2raw.cgi From buffer overflow |
| id | mail_web_mdaemonversion |
| osvdb | 3255 |
| title | mdaemon_worldclient_form2raw |
| type | remote |
References
- http://hat-squad.com/bugreport/mdaemon-raw.txt
- http://marc.info/?l=bugtraq&m=107936753929354&w=2
- http://secunia.com/advisories/10512
- http://www.osvdb.org/3255
- http://www.securityfocus.com/archive/1/348454
- http://www.securityfocus.com/bid/9317
- https://exchange.xforce.ibmcloud.com/vulnerabilities/14097