Re: Lotus ESMTP Service (Lotus Domino Release 5.0.1 (Intl))

[smiler () VXD ORG (SMILER)]

Well I tryed this in : 

* Lotus Domino ESMTP Services running Version 5.0.3 (Intl) and smtp died 
also after mail from: someone@4k_junk 

* Lotus Domino ESMTP version 5.0.2 (Intl) is also vulnerable to this.

* I also tryed this against Version 5.0.2c (Intl) without success in DOS so 
I assume that 5.0.2c(Intl) is not vulnerable. 

* Merak Server Version 2.10.270 is not also vulnerable. 

* CMail Server version 2.4.6 is not vulnerable to mail from: someone@4k_junk 
BUT is vulnerable to something_4k_junk ! In fact this software even logs 
"mail from: someone@4k_junk" as a DOS attempt but crashes when you just send 
something_4k_junk ! 

* Argosoft Mail Server version 1.2.1.0 doesn´t crash with "mail from: 
someon@4k:_junk" but after some messages it will log : Error: Access 
violation at address 00459CBB in module 'MAILSERVER.EXE'. Read of address 
FFFFFFFF but it will continue to serve :) Maybe we could make something 
funny with this overflow (?) ;))) 

* Many others where I haven´t tryed this...?

I am attaching a demonstration code (perl) for those who want to check any other 
servers that might be vulnerable to this. 

smiler () vxd org 

> On Thu, May 18, 2000 at 09:11:33PM +0200, Michal Zalewski wrote: 
> > Not much to say. While performing basic input validation checks in Lotus 
> > Domino ESMTP service (see subject) running on the top of Windows NT 
system 
> [snip.. ] 
>
> I'm running r5.0.2b on a Sun E420R w/ patched up Solaris 7 and got a 
> confirmed kill on one of our notes servers: 

<HR NOSHADE>
<UL>
<LI>application/octet-stream attachment: smtpkill.pl
</UL>