COMMAND

    SLMail

SYSTEMS AFFECTED

    SLMail 3.1

PROBLEM

    Following is based on eEye Digital Security Advisory.  One of  the
    ports  that  SLMail's  POP  Service  listens  on  is  port 27.  It
    provides ESMTP functionality.  The only difference between it  and
    SLMail's  SMTP  service  is  that  port  27  provides  the  "turn"
    functions.   All  vulnerabilities  are  based  off  of the port 27
    service.

    The first vulnerability involves the "helo" command. There are two
    vulnerabilities within it.   The first is sending  "helo" followed
    by 819 to 849 characters.  This will send the servers CPU to  idle
    around 90%.  The second  vulnerability in the "helo" command  is a
    buffer  overflow.  If  you  issue  "helo"  followed by 855 to 2041
    characters the server will crash with your typical overflow error.

    The second set of vulnerabilities  are with the "vrfy" and  "expn"
    commands.  eEye  hasn't tested to  find the start  and stop string
    lengths but  sending "vrfy"  or "expn"  with 2041  characters will
    cause the SLMail.exe to  exit itself.  So  we can either send  the
    CPU to 90%, overflow some buffers, or have the server exit without
    a trace. Take your pick.

SOLUTION

    SLMail team is  eliminating this port  entirely.  "The  ETRN port"
    is actually  legacy code,  and as  of today  the replacement piece
    has cleared it's  first major hurtle  and is in  alpha testing (at
    time of writing).