lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: cto at nii.co.in (K. K. Mookhey)
Subject: Buffer Overflow in iSMTP Gateway

=================================================
Advisory: Buffer Overflow in iSMTP Gateway
Software: iSMTP Gateway
Severity: Medium-High
Vendor: Incognito Systems http://www.incognito.com
Systems Affected: Banyan VINES
Version: 5.0.1, ?
Type of Vulnerability: Buffer Overflow

Discovered by: K. K. Mookhey (cto@....co.in)
Network Intelligence India Pvt. Ltd. http://www.nii.co.in
Advisory Available online at: http://www.nii.co.in/vuln/ismtp.html
=================================================


Background:
==========
iSMTP Gateway is a Mail Gateway software from Incognito Systems. I quote
directly from the vendor's email:
"The iSMTP gateway runs only on the Banyan VINES operating system (or Banyan
ST4NT). Banyan ceased any further development on VINES 2 years ago and has
refused to provide any support on the product for well over a year. Ten
years ago when the iSMTP software was written it was used by virtually every
member of the Fortune 1000, most Universities world-wide and the entire U.S.
military. "


Description:
=========
If a user sends an overly long MAIL FROM: command, the server responds with
a 'Command Unrecognised' response and subsequently crashes. We speculate
that this probably happens when the system tries to make an entry into the
log file or something else of that nature. That the system is able to give a
valid response before crashing implies that the buffer overflow probably
takes place at some later stage of processing the input.
We do not yet know the exact length of the string that needs to follow the
MAIL FROM: command in order to crash the software. We used a string which
consisted of about 4000 'A's
We tested this on version 5.0.1 of the iSMTP software.


Vendor Response:
=============
The vendor notifies us that they have been unable to replicate the error
in the latest version of the software, which is available from
ftp://ftp.incognito.com
We urge any users of iSMTP to verify this for themselves.


Suggested Workarounds:
==================
In case, you are not using the latest version of the software, we strongly
urge you to upgrade immediately. More information on this can be obtained
from customer support at Incognito.


Note:
====
We term the severity as Medium-High because the vendor certifies that most
of the installations are pretty critical. This included the one we did the
testing on. But taking into account the fact this software is far from being
as popular as the other common Mail Servers, any potential exploit would not
have very far reaching consequences.

This advisory is available online at http://www.nii.co.in/vuln/ismtp.html

Sincerely,

K. K. Mookhey
CTO,
Network Intelligence India Pvt. Ltd.
Tel: 91-22-2001530, 2006019
Email: cto@....co.in
Web: www.nii.co.in

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ