Bugtraq mailing list archives
Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl))
From: smiler () VXD ORG (SMILER)
Date: Tue, 23 May 2000 13:15:42 +0100
Well I tryed this in : * Lotus Domino ESMTP Services running Version 5.0.3 (Intl) and smtp died also after mail from: someone@4k_junk * Lotus Domino ESMTP version 5.0.2 (Intl) is also vulnerable to this. * I also tryed this against Version 5.0.2c (Intl) without success in DOS so I assume that 5.0.2c(Intl) is not vulnerable. * Merak Server Version 2.10.270 is not also vulnerable. * CMail Server version 2.4.6 is not vulnerable to mail from: someone@4k_junk BUT is vulnerable to something_4k_junk ! In fact this software even logs "mail from: someone@4k_junk" as a DOS attempt but crashes when you just send something_4k_junk ! * Argosoft Mail Server version 1.2.1.0 doesn´t crash with "mail from: someon@4k:_junk" but after some messages it will log : Error: Access violation at address 00459CBB in module 'MAILSERVER.EXE'. Read of address FFFFFFFF but it will continue to serve :) Maybe we could make something funny with this overflow (?) ;))) * Many others where I haven´t tryed this...? I am attaching a demonstration code (perl) for those who want to check any other servers that might be vulnerable to this. smiler () vxd org
On Thu, May 18, 2000 at 09:11:33PM +0200, Michal Zalewski wrote:Not much to say. While performing basic input validation checks in Lotus Domino ESMTP service (see subject) running on the top of Windows NT
system
[snip.. ] I'm running r5.0.2b on a Sun E420R w/ patched up Solaris 7 and got a confirmed kill on one of our notes servers:
<HR NOSHADE> <UL> <LI>application/octet-stream attachment: smtpkill.pl </UL>
Current thread:
- Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) Su, Nick (May 20)
- <Possible follow-ups>
- Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl)) SMILER (May 23)