cbcvebase.
CVE-2003-1200
published 2003-12-29

CVE-2003-1200: Stack-based buffer overflow in FORM2RAW.exe in Alt-N MDaemon 6.5.2 through 6.8.5 allows remote attackers to execute arbitrary code via a long From parameter to…

PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.10%
99.2th percentile
Stack-based buffer overflow in FORM2RAW.exe in Alt-N MDaemon 6.5.2 through 6.8.5 allows remote attackers to execute arbitrary code via a long From parameter to Form2Raw.cgi.

Affected

9 ranges
VendorProductVersion rangeFixed in
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon
alt-nmdaemon

Detection & IOCsextracted from sources · hover to see the quote

path/form2raw.cgi
pathC:\MDaemon\RawFiles\*.raw
port3000
commandGET /form2raw.cgi?From=<overflow>&To=<addr>&Subject=hi&Body=hello HTTP/1.0
other0x022fcd46
other0x1dff160
filenameFORM2RAW.exe
bytes
\x90 * 242 followed by jmp_short(61) then return address
  • Detect HTTP GET requests to /form2raw.cgi with a From parameter exceeding 249 bytes, indicative of exploitation attempt against CVE-2003-1200.
  • Monitor for WorldClient HTTP server banner matching WDaemon/6.8.[0-5] as the Metasploit check uses this regex to confirm a vulnerable target.
  • Alert on creation of new .raw files in C:\MDaemon\RawFiles\ following inbound HTTP requests to form2raw.cgi, as the exploit payload is written to the Raw Queue and executed by MDaemon.exe.
  • Flag HTTP traffic on port 3000 containing the pattern 'GET /form2raw.cgi?From=' with a large From value as the exploit targets WorldClient's default port.
  • The exploit payload uses bad characters \x00\x0a\x0d%\x20@<>&?|,;=`()${}\ #!~"\xff\/\\ — NOP sleds and shellcode in the Body parameter will avoid these bytes; use this to tune signature matching.
  • Detect MDaemon.exe crashes or unexpected process restarts, especially recurring ones, as the exploit causes repeated execution until the raw file is manually removed.
  • ·X-FromCheck must be enabled (default) for the overflow in MDaemon.exe to trigger; if disabled, the CGI data is not processed by MDaemon and the overflow does not occur.
  • ·WorldClient HTTP server must be installed (default) for the vulnerable CGI endpoint to be exposed; installations without WorldClient are not reachable via this attack vector.
  • ·The Raw Queue is processed every 1 minute by default, up to 60 minutes; payload execution is delayed and WfsDelay must be set accordingly when using Metasploit.
  • ·The Metasploit module uses a direct memory jump into a NOP sled, which is noted as unreliable; detection based on crash patterns may be more consistent than payload execution indicators.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.