Home page logo
/

bugtraq logo Bugtraq mailing list archives

Buffer Overflows in sh39.com's mailserver 1.21
From: "Rense Buijen" <Rense.Buijen () dct-mail com>
Date: Tue, 5 Mar 2002 09:58:18 +0100

I downloaded a copy "mailserver" (version 1.21) from your website
http://sh39.net/ (In December of last year)
This because I wanted to test a suitable mail client for my small home
network; I found out however that there are some serious vulnerabilities
in the program.
I suspect that you have not applied proper buffer (data input) checking
methods. The mailserver crashes when receiving a large string on port
25, connecting to the port with telnet and sending about 2500 characters
should do the trick!!

Or from a Unix shell with netcat (nc) installed do the following: 

Set your "evil buffer" string
In this case that will be 5000 A's

BUF=`perl -e '{print "A"x5000}'`

Echo the buffer and pipe it to the remote host running your mailserver
(in this case 192.168.10.10)
In this example I used the "helo" command with a 5000 character counting
string attached as value.

echo helo $BUF | nc 192.168.10.10

If you look at your mailserver now it reports an error (Under windows
XP) and the mailserver crashes.
Under windows2000 it just simply does not respond anymore, the socket is
closed and it stops functioning, a mailserver restart is necessary to
regain operational status.

IMPACT:

In both cases this software was running with administrative privileges,
I don't know if remote code execution is possible if one would correctly
assemble an exploit but I think there is a big possibility. Of course
there is at least a Denial of Service attack to the application/service.


VENDOR STATUS:

The vendor was notified a long time ago and has sins updated his package
to 1.22 where everything should we fixed.

With kind regards,

Rens


  By Date           By Thread  

Current thread:
  • Buffer Overflows in sh39.com's mailserver 1.21 Rense Buijen (Mar 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]