exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

GoodTechRCPT.txt

GoodTechRCPT.txt
Posted Jul 28, 2005
Authored by Raphael Rigo

GoodTech versions 5.15 and below (and 5.16 evaluation) suffer from stack overflow vulnerabilities in the handling of the RCPT TO input.

tags | advisory, overflow, vulnerability
SHA-256 | d99bea5bc3c5546872d764d9ede2617885299aec72497604fa2a2e029d3f283a

GoodTechRCPT.txt

Change Mirror Download
            Arbitrary code execution in GoodTech's SMTP server

discovered by Raphaƫl Rigo

Product: SMTP server by GoodTech Systems
Affected Version: 5.16 Evaluation (verified), <= regged and 5.15 probably too
Not affected Version: 5.17
OS affected: All WinNT (NT/2K/XP/2K3)
Risk: Critical
Remote Exploit: yes
URL: http://www.goodtechsys.com/smtpdnt2000.asp

Overview
========

The product provides Simple Mail Transfer Protocol (SMTP) to any email client
out of the box. It forwards email messages directly to their recipients.
GoodTech SMTP server runs as a service on the host Windows machine.


Vulnerabilities
===============

1) Stack overflow in RCPT TO command handling

Unchecked string copies allow a classic stack overflow.

Details :
A cascade of unchecked string copies is responsible for this
vulnerability :
- The maximum length of a command is 4096.
- The requested email is copied without checking nor direct
consequences into a 2048 bytes buffer.
- The domain is extracted and copied without checking nor
direct consequences into a 256 bytes buffer.
- The following code is executed : sprintf(buf,"mx.%s",domain)
buf is only 64 bytes long, and can thus be overflowed,
overwriting a string containing the DNS server to be used to
find the MX request.
- This string being non-empty, the following code is executed:
sprintf(buf1024, "Using DNS Server %s", dnsserver)
but since we have ~4000 bytes for the domain, this can overflow
and overwrite the return address of the function, allowing
arbitrary code execution.

Risk : Critical
The attacker may execute arbitrary code with the privileges of the
SYSTEM user (by default).

Proof of concept :

$ telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation)
HELO aaa
250 OK
RCPT TO: <aa@|'A'x1100>
Connection closed by foreign host.

Service crashes with EIP==0x41414141

Workaround :
There is no possible workaround.

Solution :
Update to v5.16

-----------------------------------------------------------------------

2) Stack overflow in multiple RCPT TO commands handling

Unchecked string copy allows a classic stack overflow.

Details :
For each RCPT TO command, the server fills a 1300 bytes structure
containing the requested command and the MX server for the requested
email.
The server allows up to 99 RCPT TO for a single mail, but the filling
of this structure is done via unchecked string copy : the command,
up to 4096 bytes long, is copied without checking into the structure.
This behaviour allows us to overwrite the return address of the thread
by issuing a long command in the 99th RCPT TO command.
We have then to issue a QUIT command to exit the thread and execute
our code.

Risk : Critical
The attacker may execute arbitrary code with the privileges of the
SYSTEM user (by default).

Proof of concept :

$ telnet localhost 25
Connected to localhost.
Escape character is '^]'.
220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation)
HELO aaa
250 OK
-- Repeat this part 98 times
RCPT TO: <aa@aa>
250 OK
--
RCPT TO: <|'A'x2600|@localhost>
250 OK
QUIT
Connection closed by foreign host.

Service crashes with EIP==0x41414141

Workaround :
There is no possible workaround.

Solution :
Update to v5.16

-----------------------------------------------------------------------

Acknowledgments
===============

Thanks to the developer for quick response and fix.

Timeline
========
2005-07-19 Discovery
2005-07-21 First attempt to contact developer
2005-07-21 Developer reply
2005-07-22 Fixed version released
2005-07-23 Advisory published
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close