COMMAND

    NTmail (Internet Shopper Ltd's NTMail Server version 4.00.0020)

SYSTEMS AFFECTED

    Win NT 4.0 with NTMail Server version 4.00.0020

PROBLEM

    Mnemonix found following.  A remote attacker can cause a denial of
    service whereby they telnet to the SMTP port and issue the  "vrfy"
    or "rcpt  to:" command  followed by  1040 or  more characters.  It
    seems that other commands do not exhibit this problem.  The effect
    of this is not  apparent at first; there  is no CPU usage  rise or
    any  other  side  affect  usually  associated with NT DoS attacks.
    However, when you  attempt reconnect to  the SMTP port  the server
    reports that  it is  too busy  and the  connection is  lost.   The
    server never recovers and still reports 24 hours later that it  is
    still too busy. The service needs to be stopped and restarted.

    It is interesting also to note that depending on the length of the
    string  (1040  chars  +  n  chars)  that  follows  the  two faulty
    commands, sometimes, when  the service is  stopped a memory  error
    occurs in  the smtp.exe  process causing  the default  debugger to
    kick in.   Depending upon what  the default debugger  has been set
    to, it could lead to an attacker getting administrative rights.

SOLUTION

    None known yet. The vendor has been informed.