smartserver3.remote.txt

1999-11-12T00:00:00
ID PACKETSTORM:11498
Type packetstorm
Reporter Andrew Reiter
Modified 1999-11-12T00:00:00

Description

                                        
                                            `BindView Security Advisory  
  
  
SmartServer3 Remote Buffer Overflow Technical Advisory  
  
Issue date: 11/11/99  
Contact: Andrew Reiter <areiter@bos.bindview.com>  
  
  
Topic  
-----  
  
There is a buffer overflow in NetCPlus' SmartServer3 POP3 server which can  
allow a remote attacker to execute arbitrary code on the machine.  
  
  
Affected Systems  
----------------  
  
Windows 95/98/NT machines running NetCPlus' SmartServer3 program with  
the POP3 server started. The version tested was 3.51.1 (built on 7/12/99).  
  
  
Overview  
--------  
  
NetCPlus is the maker of low-cost business email solutions such as  
SmartServer3, BrowseGate, and MailTreeve. SmartServer3 is a product that  
contains SMTP and POP3 servers. The POP3 server, however, has a security  
vulnerability in the form of a buffer overflow. If one sends a large string  
(~1000 characters) to the POP3 server, the server replies with "-ERR non-  
existant command" (sic) and the POP3 server stops running. This causes a  
page fault in KERNEL32.DLL, but does not appear to be exploitable. However,  
when the string "USER <~800 char's>\r\n\r\n" is sent, a fault is caused in  
NCPOPSERV.EXE. This can be exploited to allow a remote attacker to execute  
arbitrary code on the victim server.  
  
  
Impact  
------  
  
Remote users can exploit a buffer overflow and execute commands on the  
POP3 server's machine.  
  
  
Appendix A, Software Information  
--------------------------------  
  
NetCPlus Internet Solutions, Ltd.  
www.netcplus.com  
www.netcplus.co.uk  
  
NetCPlus is soon releasing SmartServer3 version 3.60 which fixes this  
security flaw.  
  
  
  
http://www.bindview.com/security  
--  
  
`