SMTP EXPN buffer overflow can crash or obtain access (SMTP EXPN Buffer Overflow Attempt)

SMTP EXPN buffer overflow can crash or obtain access (SMTP EXPN Buffer Overflow Attempt)

Vuln ID:	888
Risk Level:	High	SMTP EXPN Buffer Overflow Attempt
Platforms:	IBM AIX, WindRiver BSDOS, SGI IRIX, Linux Kernel, Sun Solaris, IETF SMTP, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, SeattleLab SLMail: 2.6 and prior, Pmail Mercury Mail Server, Apple AppleShare IP Mail Server, Microsoft Windows 98, Novell NetWare, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Cisco IOS, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Apple Mac OS, Microsoft Windows 2003 Server
Description:	Several freeware, shareware, and commercial SMTP servers contain buffer overflows. Different SMTP commands can cause the SMTP server to crash or to execute arbitrary byte-code that could lead to a system compromise. For example, the Seattle Lab SLMail SMTP server contains overflows in the VRFY and EXPN commands. AppleShare, Stalker, and Mercury SMTP servers contain overflows in the HELO command as well. Other lesser-known SMTP servers may also contain overflows.
Remedy:	Determine if your SMTP server is vulnerable to the attack and take appropriate actions depending on the extent of your vulnerability. Manually test for this vulnerability by connecting to port 25 on your computer and sending the appropriate command (HELO, VRFY, or EXPN) followed by at least 1024 X's. If the SMTP server returns an OK or an error message, then you are not vulnerable. If your connection closes immediately, then the system is most likely vulnerable. If your system is vulnerable, then it may have already been compromised. If the attack was a denial of service attack, restart your SMTP server. Watch for further attacks from the source address. If your system is not vulnerable, then you have not been compromised, but the attack may be a sign of an attacker probing your network for vulnerabilities.
Required Permission:
Additional Information:
References:	BugTraq Mailing List, Wed, 11 Mar 1998 20:44:56 -0500 SLMail 2.6 DoS http://archives.neohapsis.com/archives/bugtraq/1998_1/0380.html BugTraq Mailing List, Wed, 8 Apr 1998 07:10:25 -0400 smtp overflows http://archives.neohapsis.com/archives/bugtraq/1998_2/0046.html BugTraq Mailing List, Wed, 8 Apr 1998 12:34:09 +0800 Re: AppleShare IP Mail Server http://archives.neohapsis.com/archives/bugtraq/1998_2/0040.html BugTraq Mailing List, Wed, 8 Apr 1998 13:11:17 +1200 AppleShare IP Mail Server http://archives.neohapsis.com/archives/bugtraq/1998_2/0039.html Seattle Labs, Inc. Web site SLMAIL http://www.seattlelab.com/index.asp?page=http://www.seattlelab.com/slmail/* ISS X-Force SMTP EXPN buffer overflow can crash or obtain access http://www.iss.net/security_center/static/888.php CVE CVE-1999-0531 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0531

Know Your Risks

Common Vulnerabilties & Exposures