[NEWS] Buffer Overflow in iSMTP Gateway

From: support@securiteam.com
Date: 11/24/02

  • Next message: support@securiteam.com: "[NEWS] Multiple phpNuke Modules Vulnerable to Cross-Site Scripting" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 24 Nov 2002 20:26:15 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Buffer Overflow in iSMTP Gateway
    ------------------------------------------------------------------------

    SUMMARY

    The <http://www.incognito.com/> iSMTP gateway runs only on the Banyan
    VINES operating system (or Banyan ST4NT). Banyan ceased any further
    development on VINES 2 years ago and has refused to provide any support on
    the product for well over a year. Ten years ago when the iSMTP software
    was written it was used by virtually every member of the Fortune 1000,
    most Universities world-wide and the entire U.S. military. A buffer
    overflow vulnerability in the product allows remote attackers to cause it
    to crash.

    DETAILS

    Vulnerable systems:
     * iSMTP version 5.0.1

    If a user sends an overly long MAIL FROM: command, the server responds
    with a 'Command Unrecognized' response and subsequently crashes. K. K.
    Mookhey speculates that this probably happens when the system tries to
    make an entry into the log file or something else of that nature. Since
    the system is able to give a valid response before crashing implies that
    the buffer overflow probably takes place at some later stage of processing
    the input. K. K. Mookhey does not yet know the exact length of the string
    that needs to follow the MAIL FROM: command in order to crash the
    software. K. K. Mookhey used a string which consisted of about 4000 'A's.

    Vendor Response:
    The vendor notified us that they have been unable to replicate the error
    in the latest version of the software, which is available from
    <ftp://ftp.incognito.com> ftp://ftp.incognito.com. Therefore any users of
    iSMTP should verify this for themselves and in the case they are
    vulnerable upgrade.

    Suggested Workarounds:
    In case, you are not using the latest version of the software, K. K.
    Mookhey strongly urges you to upgrade. More information on this can be
    obtained from customer support at Incognito.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:cto@nii.co.in> K. K.
    Mookhey.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.