Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » ISMAIL Remote Buffer Overrun

ISMAIL Remote Buffer Overrun

by Nikola Strahija on February 27th, 2003 There exists a buffer overrun vulnerability in the SMTP service offered by ISMAIL. By supplying long Domain name values in either the MAIL FROM: or RCPT TO: values, an attacker can overwrite the saved returned return address on the stack.


Name: ISMAIL v 1.25 & v 1.4.3 Remote Buffer Overrun
Systems Affected: WinNT, Win2K, XP
Severity: High Risk
Category: Remote Buffer Overrun
Vendor URL: http://instantservers.com/ismail.html
Author: Mark Litchfield ([email protected])
Date: 27th February 2003
Advisory number: #NISR27022003


Vendor Description
******************

ISMail is a powerful yet easy to use mail server for Windows
95/98/ME/NT/2000 & XP. It supports complete email service for both home and
office use, and runs on a dedicated or a shared machine


Details
*******

There exists a buffer overrun vulnerability in the SMTP service offered by
ISMAIL. By supplying long Domain name values in either the MAIL FROM: or
RCPT TO: values, an attacker can overwrite the saved returned return address
on the stack. As ISMAIL runs as a LOCALSYSTEM account, any arbitrary code
executed on the server being passed by an attacker will run with system
privileges. If no code is supplied, ISMAIL will simply crash leaving a file
in the outgoing message folder which will immediately trigger the error once
ISMail is restarted.

Fix Information
***************
The vendor has fixed the problems using the following:

ISMail 1.4.5 (and subsequent versions) accept domain names up to 255
characters in length. Domain names exceeding this length in the 'mail from'
and 'rcpt to' commands will result in a response of: '501 Syntax error in
parameters'
Further, SMTP 'mail from' and 'rcpt to' command lines exceeding 1024
characters (including the CRLF) will result in a response of: '500 Line too
long'

The fix is available from http://instantservers.com/download/ism145.exe
Despite this is a BETA release, if you are running ISMAIL version 1.4.3 or
below, NGS recommend upgrading to the BETA version to protect yourself from
possible attacks.

I would like to add that the vendors of ISMAIL reproduced, fixed and made a
patch available within 48 hours of notification

A check for these issues has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »