[VulnWatch] ISMAIL (All Versions) Remote Buffer Overrun

From: NGSSoftware Insight Security Research (markat_private)
Date: Thu Feb 27 2003 - 15:45:17 PST

Next message: Fozzyat_private, : "MS-Windows ME IE/Outlook/HelpCenter critical vulnerability"

Previous message: Axel Beckert - ecos gmbh: "Re: Secunia Research: Opera browser Cross Site Scripting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NGSSoftware Insight Security Research Advisory

Name:                    ISMAIL v 1.25 & v 1.4.3 Remote Buffer Overrun
Systems Affected:  WinNT, Win2K, XP
Severity:                 High Risk
Category:               Remote Buffer Overrun
Vendor URL:         http://instantservers.com/ismail.html
Author:                  Mark Litchfield (markat_private)
Date:                     27th February 2003
Advisory number: #NISR27022003


Vendor Description
******************

ISMail is a powerful yet easy to use mail server for Windows
95/98/ME/NT/2000 & XP.  It supports complete email service for both home and
office use, and runs on a dedicated or a shared machine


Details
*******

There exists a buffer overrun vulnerability in the SMTP service offered by
ISMAIL.  By supplying long Domain name values in either the MAIL FROM: or
RCPT TO: values, an attacker can overwrite the saved returned return address
on the stack.  As ISMAIL runs as a LOCALSYSTEM account, any arbitrary code
executed on the server being passed by an attacker will run with system
privileges.  If no code is supplied, ISMAIL will simply crash leaving a file
in the outgoing message folder which will immediately trigger the error once
ISMail is restarted.

Fix Information
***************
The vendor has fixed the problems using the following:

ISMail 1.4.5 (and subsequent versions) accept domain names up to 255
characters in length. Domain names exceeding this length in the 'mail from'
and 'rcpt to' commands will result in a response of: '501 Syntax error in
parameters'
Further, SMTP 'mail from' and 'rcpt to' command lines exceeding 1024
characters (including the CRLF) will result in a response of: '500 Line too
long'

The fix is available from http://instantservers.com/download/ism145.exe
Despite this is a BETA release, if you are running ISMAIL version 1.4.3 or
below, NGS recommend upgrading to the BETA version to protect yourself from
possible attacks.

I would like to add that the vendors of ISMAIL reproduced, fixed and made a
patch available within 48 hours of notification

A check for these issues has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

Next message: Fozzyat_private, : "MS-Windows ME IE/Outlook/HelpCenter critical vulnerability"
Previous message: Axel Beckert - ecos gmbh: "Re: Secunia Research: Opera browser Cross Site Scripting"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 27 2003 - 08:38:34 PST