5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.046 Low
EPSS
Percentile
92.6%
The remote host is running BusinessMail, a commercial mail server for Windows from NetCPlus.
The version of BusinessMail on the remote host fails to sanitize input to the ‘HELO’ and ‘MAIL FROM’ SMTP commands, which can be exploited by an unauthenticated, remote attacker to crash the SMTP service and possibly even execute arbitrary code within the context of the server process.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description) {
script_id(19365);
script_version("1.19");
script_cve_id("CVE-2005-2472");
script_bugtraq_id(14434);
script_name(english:"BusinessMail Multiple SMTP Command Remote Buffer Overflows");
script_set_attribute(attribute:"synopsis", value:
"The remote SMTP server is susceptible to buffer overflow attacks." );
script_set_attribute(attribute:"description", value:
"The remote host is running BusinessMail, a commercial mail server for
Windows from NetCPlus.
The version of BusinessMail on the remote host fails to sanitize input
to the 'HELO' and 'MAIL FROM' SMTP commands, which can be exploited by
an unauthenticated, remote attacker to crash the SMTP service and
possibly even execute arbitrary code within the context of the server
process." );
script_set_attribute(attribute:"see_also", value:"http://reedarvin.thearvins.com/20050730-01.html" );
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ac6c13db" );
script_set_attribute(attribute:"see_also", value:"http://www.attrition.org/pipermail/vim/2007-June/001640.html" );
script_set_attribute(attribute:"solution", value:
"Upgrade to BusinessMail 4.7 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/02");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/01");
script_cvs_date("Date: 2018/06/27 18:42:26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english:"Checks for remote buffer overflow vulnerabilities in BusinessMail");
script_category(ACT_MIXED_ATTACK);
script_family(english:"SMTP problems");
script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
script_dependencies("smtpserver_detect.nasl");
script_require_ports("Services/smtp", 25);
exit(0);
}
include("global_settings.inc");
include("smtp_func.inc");
include("misc_func.inc");
port = get_service(svc:"smtp", default: 25, exit_on_fail: 1);
if (get_kb_item('SMTP/'+port+'/broken')) exit(0);
# If the banner suggests it's BusinessMail...
banner = get_smtp_banner(port:port);
if (banner && "BusinessMail SMTP server" >< banner) {
# If safe checks are enabled...
if (safe_checks()) {
if (banner =~ "BusinessMail SMTP server ([0-3]\.|4\.([0-5].*|60.*|61\.0[0-2]))") {
report =
"Note that Nessus has determined the vulnerability exists on the
remote host simply by looking at the software's banner.
";
security_hole(port:port, extra:report);
}
}
# Otherwise...
else {
# Let's try to crash it.
soc = smtp_open(port:port, helo:"nessus");
if (!soc) exit(0);
c = 'MAIL FROM:' + crap(1000);
send(socket:soc, data: c+'\r\n');
s = smtp_recv_line(socket:soc);
close(soc);
# Try once to reconnect.
sleep(1);
soc = open_sock_tcp(port);
if (!soc)
{
if (service_is_dead(port: port) > 0)
security_hole(port);
exit(0);
}
if (!smtp_recv_line(socket:soc)) {
security_hole(port);
exit(0);
}
close(soc);
}
}