CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
91.8%
The version of GoodTech SMTP Server running on the remote host is prone to multiple buffer overflow vulnerabilities when processing RCPT TO commands. An attacker can exploit these flaws to run arbitrary code remotely, by default as the SYSTEM user.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description) {
script_id(19384);
script_version("1.15");
script_cve_id("CVE-2005-2387");
script_bugtraq_id(14357);
script_name(english:"GoodTech SMTP Server < 5.17 Multiple Buffer Overflows");
script_set_attribute(attribute:"synopsis", value:
"The remote SMTP server contains several buffer overflow flaws." );
script_set_attribute(attribute:"description", value:
"The version of GoodTech SMTP Server running on the remote host is
prone to multiple buffer overflow vulnerabilities when processing RCPT
TO commands. An attacker can exploit these flaws to run arbitrary
code remotely, by default as the SYSTEM user." );
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/406321/30/0/threaded" );
script_set_attribute(attribute:"solution", value:
"Upgrade to GoodTech SMTP Server 5.17 or later." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/04");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/07/23");
script_cvs_date("Date: 2018/11/15 20:50:24");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english:"Checks for multiple buffer overflow vulnerabilities in GoodTech SMTP Server < 5.17");
script_category(ACT_MIXED_ATTACK);
script_family(english:"SMTP problems");
script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
script_dependencies("smtpserver_detect.nasl");
script_require_ports("Services/smtp", 25);
exit(0);
}
include("global_settings.inc");
include("smtp_func.inc");
include("misc_func.inc");
port = get_service(svc:"smtp", default: 25, exit_on_fail: 1);
if (get_kb_item('SMTP/'+port+'/broken')) exit(0);
# If the banner suggests it's GoodTech...
banner = get_smtp_banner(port:port);
if (banner && "Simple Mail Transfer Service Ready. Version" >< banner) {
# If safe checks are enabled...
if (safe_checks()) {
# nb: versions < 5.17 are affected.
if (banner =~ "Version ([0-4]\.|5\.(0|1[0-6][^0-9]))") {
report =
"Note that Nessus has determined the vulnerability exists on the
remote host simply by looking at the installed version number of
GoodTech SMTP Server.
";
security_hole(port:port, extra:report);
}
}
# Otherwise...
else {
# Let's try to crash it.
soc = smtp_open(port:port, helo:rand_str());
if (!soc) exit(0);
c = strcat('RCPT TO: <aa@', crap(1100), '>');
send(socket:soc, data: c+'\r\n');
s = smtp_recv_line(socket:soc);
# If it's down, try once to reconnect.
if (!s) {
close(soc);
sleep(1);
# Is the daemon history?
soc = open_sock_tcp(port);
if (!soc) {
if (service_is_dead(port: port) > 0)
security_hole(port);
exit(0);
}
}
# Let's be nice.
smtp_close(socket: soc);
}
}