SMTP EXPN buffer overflow can crash or obtain access

Risk Level: High risk vulnerability  High

Check or Attack Name: SMTP EXPN Buffer Overflow Attempt
Platforms: SLMail: v2.6 or earlier, Mercury Mail Server, AppleShare IP Mail Server
Description:

Several freeware, shareware, and commercial SMTP servers contain buffer overflows. Different SMTP commands can cause the SMTP server to crash or to execute arbitrary byte-code that could lead to a system compromise. For example, the Seattle Lab SLMail SMTP server contains overflows in the VRFY and EXPN commands. AppleShare, Stalker, and Mercury SMTP servers contain overflows in the HELO command as well. Other lesser-known SMTP servers may also contain overflows.
Remedy:

Determine if your SMTP server is vulnerable to the attack and take appropriate actions depending on the extent of your vulnerability.

You can use Internet Scanner to determine if your SMTP server is vulnerable. If the Sendmail outdated or SMTP Host possibly vulnerable messages appear, then one or more hosts on your network is vulnerable.

—OR—

You can manually test by connecting to port 25 on your machine and sending the appropriate command (HELO, VRFY, or EXPN) followed by at least 1024 X's. If the SMTP server returns an OK or an error message, then you are not vulnerable. If your connection closes immediately, then the system is most likely vulnerable.

If your system is vulnerable, then it may have already been compromised. If the attack was a denial of service attack, restart your SMTP server. Watch for further attacks from the source address. If your machine is not vulnerable, then you have not been compromised, but the attack may be a sign of an attacker probing your network for vulnerabilities.
References:

BUGTRAQ Mailing List, Steven (steven@EFNI.COM), SLMail 2.6 DoS, http://geek-girl.com/bugtraq/1998_1/0380.html

BUGTRAQ Mailing List, Jon Beaton (steven@EFNI.COM), smtp overflows, http://geek-girl.com/bugtraq/1998_2/0046.html

BUGTRAQ Mailing List, David Luyer (luyer@UCS.UWA.EDU.AU), Re: AppleShare IP Mail Server, http://geek-girl.com/bugtraq/1998_2/0040.html

BUGTRAQ Mailing List, Chris Wedgwood (chris@CYBERNET.CO.NZ), AppleShare IP Mail Server, http://geek-girl.com/bugtraq/1998_2/0039.html

Seattle Labs, Inc., SLmail Overview, http://www.seattlelabs.com/slmail/
X-Force Logo
Know Your Risks