exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

GoodTechRCPT.txt

GoodTechRCPT.txt
Posted Jul 28, 2005
Authored by Raphael Rigo

GoodTech versions 5.15 and below (and 5.16 evaluation) suffer from stack overflow vulnerabilities in the handling of the RCPT TO input.

tags | advisory, overflow, vulnerability
SHA-256 | d99bea5bc3c5546872d764d9ede2617885299aec72497604fa2a2e029d3f283a

GoodTechRCPT.txt

Change Mirror Download
            Arbitrary code execution in GoodTech's SMTP server

discovered by Raphaƫl Rigo

Product: SMTP server by GoodTech Systems
Affected Version: 5.16 Evaluation (verified), <= regged and 5.15 probably too
Not affected Version: 5.17
OS affected: All WinNT (NT/2K/XP/2K3)
Risk: Critical
Remote Exploit: yes
URL: http://www.goodtechsys.com/smtpdnt2000.asp

Overview
========

The product provides Simple Mail Transfer Protocol (SMTP) to any email client
out of the box. It forwards email messages directly to their recipients.
GoodTech SMTP server runs as a service on the host Windows machine.


Vulnerabilities
===============

1) Stack overflow in RCPT TO command handling

Unchecked string copies allow a classic stack overflow.

Details :
A cascade of unchecked string copies is responsible for this
vulnerability :
- The maximum length of a command is 4096.
- The requested email is copied without checking nor direct
consequences into a 2048 bytes buffer.
- The domain is extracted and copied without checking nor
direct consequences into a 256 bytes buffer.
- The following code is executed : sprintf(buf,"mx.%s",domain)
buf is only 64 bytes long, and can thus be overflowed,
overwriting a string containing the DNS server to be used to
find the MX request.
- This string being non-empty, the following code is executed:
sprintf(buf1024, "Using DNS Server %s", dnsserver)
but since we have ~4000 bytes for the domain, this can overflow
and overwrite the return address of the function, allowing
arbitrary code execution.

Risk : Critical
The attacker may execute arbitrary code with the privileges of the
SYSTEM user (by default).

Proof of concept :

$ telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation)
HELO aaa
250 OK
RCPT TO: <aa@|'A'x1100>
Connection closed by foreign host.

Service crashes with EIP==0x41414141

Workaround :
There is no possible workaround.

Solution :
Update to v5.16

-----------------------------------------------------------------------

2) Stack overflow in multiple RCPT TO commands handling

Unchecked string copy allows a classic stack overflow.

Details :
For each RCPT TO command, the server fills a 1300 bytes structure
containing the requested command and the MX server for the requested
email.
The server allows up to 99 RCPT TO for a single mail, but the filling
of this structure is done via unchecked string copy : the command,
up to 4096 bytes long, is copied without checking into the structure.
This behaviour allows us to overwrite the return address of the thread
by issuing a long command in the 99th RCPT TO command.
We have then to issue a QUIT command to exit the thread and execute
our code.

Risk : Critical
The attacker may execute arbitrary code with the privileges of the
SYSTEM user (by default).

Proof of concept :

$ telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation)
HELO aaa
250 OK
-- Repeat this part 98 times
RCPT TO: <aa@aa>
250 OK
--
RCPT TO: <|'A'x2600|@localhost>
250 OK
QUIT
Connection closed by foreign host.

Service crashes with EIP==0x41414141

Workaround :
There is no possible workaround.

Solution :
Update to v5.16

-----------------------------------------------------------------------

Acknowledgments
===============

Thanks to the developer for quick response and fix.

Timeline
========
2005-07-19 Discovery
2005-07-21 First attempt to contact developer
2005-07-21 Developer reply
2005-07-22 Fixed version released
2005-07-23 Advisory published
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close