All-Mail Buffer Overflow Vulnerability
BID:1789
Info
All-Mail Buffer Overflow Vulnerability
| Bugtraq ID: | 1789 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2000-0985 |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 12 2000 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | Discovered by @stake and published in an @stake security advisory released on Oct 12, 2000. |
| Vulnerable: |
Nevis Systems All-Mail 1.1 |
| Not Vulnerable: | |
Discussion
All-Mail Buffer Overflow Vulnerability
All-mail is an smtp server for Windows NT and 2000 platforms offered by Nevis Systems. It is vulnerable to remotely exploitable buffer overflow attacks that may lead to an attacker gaining control of the victim host.
The condition is known to occur in at least two places. The values supplied by the user that argument the "mail from" and "rcpt to" smtp commands are stored in buffers of predefined length. It is not verified that the amount data is within the predefined size limits before it is copied onto the stack during function calls. Consequently it is possible for users to overwrite stack variables (with the excessive data..) such as the calling function's return address with arbitrary values that can alter the program's flow of execution.
If exploited, the user can at the very least cause the smtp server to crash. More advanced attacks can result in arbitrary code execution on the victim host.
All-mail is an smtp server for Windows NT and 2000 platforms offered by Nevis Systems. It is vulnerable to remotely exploitable buffer overflow attacks that may lead to an attacker gaining control of the victim host.
The condition is known to occur in at least two places. The values supplied by the user that argument the "mail from" and "rcpt to" smtp commands are stored in buffers of predefined length. It is not verified that the amount data is within the predefined size limits before it is copied onto the stack during function calls. Consequently it is possible for users to overwrite stack variables (with the excessive data..) such as the calling function's return address with arbitrary values that can alter the program's flow of execution.
If exploited, the user can at the very least cause the smtp server to crash. More advanced attacks can result in arbitrary code execution on the victim host.
Exploit / POC
All-Mail Buffer Overflow Vulnerability
A sample exploit was included in the advisory, linked to below:
A sample exploit was included in the advisory, linked to below:
Solution / Fix
All-Mail Buffer Overflow Vulnerability
Solution:
Nevis Systems is aware of this vulnerability but reportedly does not support the product anymore. Users are advised to use another mail package.
Solution:
Nevis Systems is aware of this vulnerability but reportedly does not support the product anymore. Users are advised to use another mail package.
References
All-Mail Buffer Overflow Vulnerability
References:
References:
- @ Stake Homepage (@stake)
- Nevis Systems Homepage (Nevis Systems)