Date: Thu, 4 Feb 1999 13:51:32 -0800From: Marc To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COMSubject: Multiple SLMail Vulnerabilities ________________________________________________________________________ eEye Digital Security Team www.eEye.cominfo@eEye.comFebruary 04, 1999 ________________________________________________________________________ Multiple SLMail VulnerabilitiesSystems AffectedSLMail 3.1Release Date February 04, 1999Advisory CodeAD02041999 ________________________________________________________________________ Description: ________________________________________________________________________ We were once again grinding software through Retina Alpha code and have found the following. One of the ports that SLMail's POP Service listens on is port 27. It provides ESMTP functionality. The only difference between it and SLMail's SMTP service is that port 27 provides the "turn" functions. All vulnerabilities are based off of the port 27 service. The first vulnerability involves the "helo" command. There are two vulnerabilities within it. The first is sending "helo" followed by 819 to 849 characters. This will send the servers CPU to idle around 90%. The second vulnerability in the "helo" command is a buffer overflow. If you issue "helo" followed by 855 to 2041 characters the server will crash with your typical overflow error. The second set of vulnerabilities are with the "vrfy" and "expn" commands. We have not tested to find the start and stop string lengths but sending "vrfy" or "expn" with 2041 characters will cause the SLMail.exe to exititself. So we can either send the CPU to 90%, overflow some buffers, or have the server exit without a trace. Take your pick. ________________________________________________________________________ Vendor Status ________________________________________________________________________ We gave SeattleLabs a week. We have no reply so far. Contact them directly and maybe they will respond. ________________________________________________________________________ Copyright (c) 1999 eEye Digital Security Team ________________________________________________________________________ Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. ________________________________________________________________________ Disclaimer: ________________________________________________________________________ The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.Please send suggestions, updates, and comments to: eEye Digital Security Teaminfo@eEye.comhttp://www.eEye.com ------------------------------------------------------------------------------------- Date: Thu, 4 Feb 1999 23:58:24 GMTFrom: Lee Thompson To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COMSubject: Multiple SLMail Vulnerabilities We are working on a fix and will be including it in our SLmail 3.2 maintenance release._Lee Thompson lt@seattlelab.com Seattle Lab Inc. http://www.seattlelab.comProduct Manager