ID CVE-2006-2659
Summary libs/comverp.c in Courier MTA before 0.53.2 allows attackers to cause a denial of service (CPU consumption) via unknown vectors involving usernames that contain the "=" (equals) character, which is not properly handled during encoding.
References
Vulnerable Configurations
  • cpe:2.3:a:double_precision_incorporated:courier_mta:0.37.3
    cpe:2.3:a:double_precision_incorporated:courier_mta:0.37.3
  • cpe:2.3:a:double_precision_incorporated:courier_mta:0.38.1
    cpe:2.3:a:double_precision_incorporated:courier_mta:0.38.1
  • cpe:2.3:a:double_precision_incorporated:courier_mta:0.40
    cpe:2.3:a:double_precision_incorporated:courier_mta:0.40
  • cpe:2.3:a:double_precision_incorporated:courier_mta:0.43
    cpe:2.3:a:double_precision_incorporated:courier_mta:0.43
  • cpe:2.3:a:double_precision_incorporated:courier_mta:0.43.1
    cpe:2.3:a:double_precision_incorporated:courier_mta:0.43.1
  • cpe:2.3:a:double_precision_incorporated:courier_mta:0.43.2
    cpe:2.3:a:double_precision_incorporated:courier_mta:0.43.2
  • cpe:2.3:a:double_precision_incorporated:courier_mta:0.44
    cpe:2.3:a:double_precision_incorporated:courier_mta:0.44
  • cpe:2.3:a:double_precision_incorporated:courier_mta:0.44.2
    cpe:2.3:a:double_precision_incorporated:courier_mta:0.44.2
CVSS
Base: 7.8 (as of 30-05-2006 - 15:14)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
metasploit via4
description This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw is due to the way TFTP handles the filename parameter extracted from a WRQ request. The server will append the user-supplied filename to TFTP server binary's path without any bounds checking, and then attempt to check this path with a fopen(). Since this isn't a valid file path, fopen() returns null, which allows the corrupted data to be used in a strcmp() function, causing an access violation. Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone' , and then manually select your target accordingly. A successful attempt will lead to remote code execution under the context of SYSTEM if run as a service, or the user if run as a standalone. A failed attempt will result a denial-of-service.
id MSF:EXPLOIT/WINDOWS/TFTP/TFTPSERVER_WRQ_BOF
last seen 2019-03-25
modified 2017-07-24
published 2012-04-20
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/tftp/tftpserver_wrq_bof.rb
title TFTP Server for Windows 1.4 ST WRQ Buffer Overflow
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200608-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-200608-06 (Courier MTA: Denial of Service vulnerability) Courier MTA has fixed a security issue relating to usernames containing the '=' character, causing high CPU utilization. Impact : An attacker could exploit this vulnerability by sending a specially crafted email to a mail gateway running a vulnerable version of Courier MTA. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 22148
    published 2006-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22148
    title GLSA-200608-06 : Courier MTA: Denial of Service vulnerability
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-294-1.NASL
    description A Denial of Service vulnerability has been found in the function for encoding email addresses. Addresses containing a '=' before the '@' character caused the Courier to hang in an endless loop, rendering the service unusable. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27866
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27866
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : courier vulnerability (USN-294-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1101.NASL
    description A bug has been discovered in the Courier Mail Server that can result in a number of processes to consume arbitrary amounts of CPU power.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 22643
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22643
    title Debian DSA-1101-1 : courier - programming error
refmap via4
bid 18345
confirm
debian DSA-1101
gentoo GLSA-200608-06
sectrack 1016248
secunia
  • 20519
  • 20548
  • 20792
  • 21350
ubuntu USN-294-1
vupen ADV-2006-2214
xf courier-usernames-dos(26998)
Last major update 20-09-2011 - 22:05
Published 30-05-2006 - 15:02
Last modified 03-10-2018 - 17:41
Back to Top