QK SMTP Server 'RCPT TO' Command Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1017114
|
|
SecurityTracker URL: http://securitytracker.com/id?1017114
|
|
CVE Reference: CVE-2006-5551
(Links to External Site)
|
Updated: Jun 2 2008
|
Original Entry Date: Oct 25 2006
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Version(s): 3.01 and prior versions
|
Description: A vulnerability was reported in QK SMTP Server. A remote user can cause denial of service conditions.
A remote user can send a specially crafted RCPT TO command to trigger a format string flaw and cause the target service to crash.
It
may be possible to execute arbitrary code [however, the report did not confirm remote code execution].
A demonstration exploit
is available at:
http://www.milw0rm.com/exploits/2625
Greg Linares reported this vulnerability.
|
Impact: A remote user can cause denial of service conditions.
|
Solution: No solution was available at the time of this entry.
[Editor's note: A third party has reported that version 3.1 Beta is not vulnerable. However, the vendor's web site does not acknowledge this.]
|
Vendor URL: www.qksoft.com/qk-smtp-server/ (Links to External Site)
|
Cause: Input validation error, State error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 24 Oct 2006 21:37:27 -0400
Subject: 0-day RCPT TO DoS Exploit for QK SMTP version 3.01 and lower.
|
http://www.milw0rm.com/exploits/2625
|
|
