Multiple SLMail Vulnerabilities

From: Marc (marcat_private)
Date: Thu Feb 04 1999 - 13:51:32 PST

Next message: Paul Leach: "Re: Microsoft Access 97 Stores Database Password as Plaintext"

Previous message: Philip Stoev: "Re: Unsecured server in applets under Netscape"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

________________________________________________________________________

eEye Digital Security Team <e>
www.eEye.com
infoat_private
February 04, 1999
________________________________________________________________________

Multiple SLMail Vulnerabilities

Systems Affected
SLMail 3.1

Release Date
February 04, 1999

Advisory Code
AD02041999

________________________________________________________________________

Description:
________________________________________________________________________

We were once again grinding software through Retina Alpha code and have
found the following.

One of the ports that SLMail's POP Service listens on is port 27. It
provides ESMTP functionality. The only difference between it and SLMail's
SMTP service is that port 27 provides the "turn" functions. All
vulnerabilities are based off of the port 27 service.

The first vulnerability involves the "helo" command. There are two
vulnerabilities within it. The first is sending "helo" followed by 819 to
849 characters. This will send the servers CPU to idle around 90%.

The second vulnerability in the "helo" command is a buffer overflow. If you
issue "helo" followed by 855 to 2041 characters the server will crash with
your typical overflow error.

The second set of vulnerabilities are with the "vrfy" and "expn" commands.
We have not tested to find the start and stop string lengths but sending
"vrfy" or "expn" with 2041 characters will cause the SLMail.exe to exit
itself.

So we can either send the CPU to 90%, overflow some buffers, or have the
server exit without a trace. Take your pick.

________________________________________________________________________

Vendor Status
________________________________________________________________________

We gave SeattleLabs a week. We have no reply so far. Contact them directly
and maybe they will respond.

________________________________________________________________________

Copyright (c) 1999 eEye Digital Security Team
________________________________________________________________________

Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alertat_private for
permission.

________________________________________________________________________

Disclaimer:
________________________________________________________________________

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Please send suggestions, updates, and comments to:
eEye Digital Security Team
infoat_private
http://www.eEye.com

Next message: Paul Leach: "Re: Microsoft Access 97 Stores Database Password as Plaintext"
Previous message: Philip Stoev: "Re: Unsecured server in applets under Netscape"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:33 PDT