NGSSoftware Insight Security Research Advisory
Name: ISMAIL v 1.25 & v 1.4.3 Remote Buffer Overrun
Systems Affected: WinNT, Win2K, XP
Severity: High Risk
Category: Remote Buffer Overrun
Vendor URL: http://instantservers.com/ismail.html
Author: Mark Litchfield (mark (at) ngssoftware (dot) com [email concealed])
Date: 27th February 2003
Advisory number: #NISR27022003
Vendor Description
******************
ISMail is a powerful yet easy to use mail server for Windows
95/98/ME/NT/2000 & XP. It supports complete email service for both home and
office use, and runs on a dedicated or a shared machine
Details
*******
There exists a buffer overrun vulnerability in the SMTP service offered by
ISMAIL. By supplying long Domain name values in either the MAIL FROM: or
RCPT TO: values, an attacker can overwrite the saved returned return address
on the stack. As ISMAIL runs as a LOCALSYSTEM account, any arbitrary code
executed on the server being passed by an attacker will run with system
privileges. If no code is supplied, ISMAIL will simply crash leaving a file
in the outgoing message folder which will immediately trigger the error once
ISMail is restarted.
Fix Information
***************
The vendor has fixed the problems using the following:
ISMail 1.4.5 (and subsequent versions) accept domain names up to 255
characters in length. Domain names exceeding this length in the 'mail from'
and 'rcpt to' commands will result in a response of: '501 Syntax error in
parameters'
Further, SMTP 'mail from' and 'rcpt to' command lines exceeding 1024
characters (including the CRLF) will result in a response of: '500 Line too
long'
The fix is available from http://instantservers.com/download/ism145.exe
Despite this is a BETA release, if you are running ISMAIL version 1.4.3 or
below, NGS recommend upgrading to the BETA version to protect yourself from
possible attacks.
I would like to add that the vendors of ISMAIL reproduced, fixed and made a
patch available within 48 hours of notification
A check for these issues has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.
Further Information
*******************
For further information about the scope and effects of buffer overflows,
please see
http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf