[VulnWatch] ISMAIL (All Versions) Remote Buffer Overrun

From: NGSSoftware Insight Security Research (mark@ngssoftware.com)
Date: 02/28/03

  • Next message: Fozzy [Hackademy Audit]: "[VulnWatch] MS-Windows ME IE/Outlook/HelpCenter critical vulnerability"
    From: "NGSSoftware Insight Security Research" <mark@ngssoftware.com>
    To: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>, <vulnwatch@vulnwatch.org>
    Date: Thu, 27 Feb 2003 15:45:17 -0800
    
    

    NGSSoftware Insight Security Research Advisory

    Name: ISMAIL v 1.25 & v 1.4.3 Remote Buffer Overrun
    Systems Affected: WinNT, Win2K, XP
    Severity: High Risk
    Category: Remote Buffer Overrun
    Vendor URL: http://instantservers.com/ismail.html
    Author: Mark Litchfield (mark@ngssoftware.com)
    Date: 27th February 2003
    Advisory number: #NISR27022003

    Vendor Description
    ******************

    ISMail is a powerful yet easy to use mail server for Windows
    95/98/ME/NT/2000 & XP. It supports complete email service for both home and
    office use, and runs on a dedicated or a shared machine

    Details
    *******

    There exists a buffer overrun vulnerability in the SMTP service offered by
    ISMAIL. By supplying long Domain name values in either the MAIL FROM: or
    RCPT TO: values, an attacker can overwrite the saved returned return address
    on the stack. As ISMAIL runs as a LOCALSYSTEM account, any arbitrary code
    executed on the server being passed by an attacker will run with system
    privileges. If no code is supplied, ISMAIL will simply crash leaving a file
    in the outgoing message folder which will immediately trigger the error once
    ISMail is restarted.

    Fix Information
    ***************
    The vendor has fixed the problems using the following:

    ISMail 1.4.5 (and subsequent versions) accept domain names up to 255
    characters in length. Domain names exceeding this length in the 'mail from'
    and 'rcpt to' commands will result in a response of: '501 Syntax error in
    parameters'
    Further, SMTP 'mail from' and 'rcpt to' command lines exceeding 1024
    characters (including the CRLF) will result in a response of: '500 Line too
    long'

    The fix is available from http://instantservers.com/download/ism145.exe
    Despite this is a BETA release, if you are running ISMAIL version 1.4.3 or
    below, NGS recommend upgrading to the BETA version to protect yourself from
    possible attacks.

    I would like to add that the vendors of ISMAIL reproduced, fixed and made a
    patch available within 48 hours of notification

    A check for these issues has been added to Typhon II, of which more
    information is available from the
    NGSSoftware website, http://www.ngssoftware.com.

    Further Information
    *******************

    For further information about the scope and effects of buffer overflows,
    please see

    http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
    http://www.ngssoftware.com/papers/ntbufferoverflow.html
    http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
    http://www.ngssoftware.com/papers/unicodebo.pdf



    Relevant Pages