I downloaded a copy "mailserver" (version 1.21) from your website http://sh39.net/ (In December of last year) This because I wanted to test a suitable mail client for my small home network; I found out however that there are some serious vulnerabilities in the program. I suspect that you have not applied proper buffer (data input) checking methods. The mailserver crashes when receiving a large string on port 25, connecting to the port with telnet and sending about 2500 characters should do the trick!! Or from a Unix shell with netcat (nc) installed do the following: Set your "evil buffer" string In this case that will be 5000 A's BUF=`perl -e '{print "A"x5000}'` Echo the buffer and pipe it to the remote host running your mailserver (in this case 192.168.10.10) In this example I used the "helo" command with a 5000 character counting string attached as value. echo helo $BUF | nc 192.168.10.10 If you look at your mailserver now it reports an error (Under windows XP) and the mailserver crashes. Under windows2000 it just simply does not respond anymore, the socket is closed and it stops functioning, a mailserver restart is necessary to regain operational status. IMPACT: In both cases this software was running with administrative privileges, I don't know if remote code execution is possible if one would correctly assemble an exploit but I think there is a big possibility. Of course there is at least a Denial of Service attack to the application/service. VENDOR STATUS: The vendor was notified a long time ago and has sins updated his package to 1.22 where everything should we fixed. With kind regards, Rens
This archive was generated by hypermail 2b30 : Tue Mar 05 2002 - 17:36:55 PST