[NT] ISMail Remote Buffer Overrun

From: support@securiteam.com
Date: 03/12/03

  • Next message: support@securiteam.com: "[NEWS] Lotus Notes/Domino R6-beta PROTOS LDAP Denial of Service Regression" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 12 Mar 2003 19:53:16 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      ISMail Remote Buffer Overrun
    ------------------------------------------------------------------------

    SUMMARY

     <http://instantservers.com/ismail.html> ISMail is a powerful yet easy to
    use mail server for Windows 95/98/ME/NT/2000 & XP. It supports complete
    email service for both home and office use, and runs on a dedicated or a
    shared machine. A buffer overflow vulnerability in the product allows
    attackers to cause the product to execute arbitrary code.

    DETAILS

    Vulnerable systems:
     * ISMail version 1.25
     * ISMail version 1.4.3

    Immune systems:
     * ISMail version 1.4.5

    There exists a buffer-overrun vulnerability in the SMTP service offered by
    ISMail. By supplying long Domain name values in either the "MAIL FROM:" or
    "RCPT TO:" values, an attacker can overwrite the saved returned return
    address on the stack. As ISMail runs as a LOCALSYSTEM account, any
    arbitrary code executed on the server being passed by an attacker will run
    with system privileges. If no code is supplied, ISMail will simply crash
    leaving a file in the outgoing message folder that will immediately
    trigger the error once ISMail is restarted.

    Fix Information:
    The vendor has fixed the problems using the following:

    ISMail 1.4.5 (and subsequent versions) accept domain names up to 255
    characters in length. Domain names exceeding this length in the 'mail
    from' and 'rcpt to' commands will result in a response of: '501 Syntax
    error in parameters' Further, SMTP 'mail from' and 'rcpt to' command lines
    exceeding 1024 characters (including the CRLF) will result in a response
    of: '500 Line too long'

    The fix is available from <http://instantservers.com/download/ism145.exe>
    http://instantservers.com/download/ism145.exe Despite this is a BETA
    release, if you are running ISMail version 1.4.3 or below, NGS recommend
    upgrading to the BETA version to protect yourself from possible attacks.

    Mark would like to add that the vendors of ISMail reproduced, fixed, and
    made a patch available within 48 hours of notification

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:mark@ngssoftware.com> Mark
    Litchfield.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: support@securiteam.com: "[NEWS] Lotus Notes/Domino R6-beta PROTOS LDAP Denial of Service Regression"