================================================= Advisory: Buffer Overflow in iSMTP Gateway Software: iSMTP Gateway Severity: Medium-High Vendor: Incognito Systems http://www.incognito.com Systems Affected: Banyan VINES Version: 5.0.1, ? Type of Vulnerability: Buffer Overflow
Discovered by: K. K. Mookhey (firstname.lastname@example.org) Network Intelligence India Pvt. Ltd. http://www.nii.co.in Advisory Available online at: http://www.nii.co.in/vuln/ismtp.html =================================================
iSMTP Gateway is a Mail Gateway software from Incognito Systems. I quote directly from the vendor's email: "The iSMTP gateway runs only on the Banyan VINES operating system (or Banyan ST4NT). Banyan ceased any further development on VINES 2 years ago and has refused to provide any support on the product for well over a year. Ten years ago when the iSMTP software was written it was used by virtually every member of the Fortune 1000, most Universities world-wide and the entire U.S. military. "
If a user sends an overly long MAIL FROM: command, the server responds with a 'Command Unrecognised' response and subsequently crashes. We speculate that this probably happens when the system tries to make an entry into the log file or something else of that nature. That the system is able to give a valid response before crashing implies that the buffer overflow probably takes place at some later stage of processing the input. We do not yet know the exact length of the string that needs to follow the MAIL FROM: command in order to crash the software. We used a string which consisted of about 4000 'A's We tested this on version 5.0.1 of the iSMTP software.
The vendor notifies us that they have been unable to replicate the error in the latest version of the software, which is available from ftp://ftp.incognito.com We urge any users of iSMTP to verify this for themselves.
In case, you are not using the latest version of the software, we strongly urge you to upgrade immediately. More information on this can be obtained from customer support at Incognito.
We term the severity as Medium-High because the vendor certifies that most of the installations are pretty critical. This included the one we did the testing on. But taking into account the fact this software is far from being as popular as the other common Mail Servers, any potential exploit would not have very far reaching consequences.
This advisory is available online at http://www.nii.co.in/vuln/ismtp.html
K. K. Mookhey CTO, Network Intelligence India Pvt. Ltd. Tel: 91-22-2001530, 2006019 Email: email@example.com Web: www.nii.co.in