SMTP HELO buffer overflow can crash or obtain access
| smtp-helo-bo (886) |  High Risk |
Description:
Different SMTP commands can cause the SMTP server to crash or to execute arbitrary byte-code that could lead to a system compromise. For example, the Seattle Lab SLMail SMTP server software contains overflows in the VRFY and EXPN commands. AppleShare, Stalker, and Mercury SMTP servers contain overflows in the HELO command as well. Other lesser-known SMTP servers may also contain overflows.
Platforms Affected:
- Apple, AppleShare IP Mail Server
- Apple, Mac OS
- Cisco, IOS
- Compaq, Tru64
- Data General, DG/UX
- HP, HP-UX
- IBM, AIX
- IBM, OS2
- IETF, SMTP
- Ipswitch, IMail Server 5.0
- Linux, Kernel
- Microsoft, Windows 2000
- Microsoft, Windows 2003 Server
- Microsoft, Windows 95
- Microsoft, Windows 98
- Microsoft, Windows 98SE
- Microsoft, Windows Me
- Microsoft, Windows NT 4.0
- Microsoft, Windows XP
- Novell, NetWare
- Pmail, Mercury Mail Server
- SCO, SCO Unix
- SeattleLab, SLMail 2.6 and prior
- SGI, IRIX
- Sun, Solaris
- WindRiver, BSDOS
Remedy:
Determine if your SMTP server is vulnerable to the attack and take appropriate actions depending on the extent of your vulnerability.
Manually test for this vulnerability by connecting to port 25 on your computer and sending the appropriate command (HELO, VRFY, or EXPN), followed by at least 1024 X's. If the SMTP server returns an OK or an error message, then you are not vulnerable. If your connection closes immediately, then the system is most likely vulnerable.
If your system is vulnerable, then it may have already been compromised. If the attack was a denial of service attack, restart your SMTP server. Watch for further attacks from the source address. If your system is not vulnerable, then you have not been compromised, but the attack may be a sign of an attacker probing your network for vulnerabilities.
Consequences:
Gain Access
References:
- BugTraq Mailing List, Wed, 11 Mar 1998 20:44:56 -0500, SLMail 2.6 DoS at http://archives.neohapsis.com/archives/bugtraq/1998_1/0380.html.
- BugTraq Mailing List, Wed, 8 Apr 1998 07:10:25 -0400, smtp overflows at http://archives.neohapsis.com/archives/bugtraq/1998_2/0046.html.
- BugTraq Mailing List, Wed, 8 Apr 1998 12:34:09 +0800, Re: AppleShare IP Mail Server at http://archives.neohapsis.com/archives/bugtraq/1998_2/0040.html.
- BugTraq Mailing List, Wed, 8 Apr 1998 13:11:17 +1200, AppleShare IP Mail Server at http://archives.neohapsis.com/archives/bugtraq/1998_2/0039.html.
- Seattle Labs, Inc. Web site, SLmail Overview at http://www.seattlelabs.com/slmail/.
- BID-61: AppleShare IP Mail Server Buffer Overflow Vulnerability
- BID-62: Stalker Internet Mail Server Buffer Overflow Vulnerability
- BID-8555: Microsoft Exchange Server SMTP HELO Argument Buffer Overflow Vulnerability
- BID-8621: Ipswitch Imail Server SMTP HELO Argument Buffer Overflow Vulnerability
- CVE-1999-0098: Buffer overflow in SMTP HELO command in Sendmail allows a remote attacker to hide activities.
- CVE-1999-0284: Denial of service to NT mail servers including Ipswitch, Mdaemon, and Exchange through a buffer overflow in the SMTP HELO command.
- CVE-1999-0531: An SMTP service supports EXPN, VRFY, HELP, ESMTP, and/or EHLO.
- CVE-1999-1015: Buffer overflow in Apple AppleShare Mail Server 5.0.3 on MacOS 8.1 and earlier allows a remote attacker to cause a denial of service (crash) via a long HELO command.
- CVE-1999-1504: Stalker Internet Mail Server 1.6 allows a remote attacker to cause a denial of service (crash) via a long HELO command.
Reported:
Mar 11, 1998
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net