[12537] in bugtraq
SmartServer3 POP3
daemon@ATHENA.MIT.EDU (BindView Advisory)
Thu Nov 11 15:33:43 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991111082804.A20697@pueblo.netect.com>
Date: Thu, 11 Nov 1999 08:28:04 -0500
Reply-To: BindView Advisory <advisory+netcpop3@BOS.BINDVIEW.COM>
From: BindView Advisory <advisory+netcpop3@BOS.BINDVIEW.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
BindView Security Advisory
SmartServer3 Remote Buffer Overflow Technical Advisory
Issue date: 11/11/99
Contact: Andrew Reiter <areiter@bos.bindview.com>
Topic
-----
There is a buffer overflow in NetCPlus' SmartServer3 POP3 server which can
allow a remote attacker to execute arbitrary code on the machine.
Affected Systems
----------------
Windows 95/98/NT machines running NetCPlus' SmartServer3 program with
the POP3 server started. The version tested was 3.51.1 (built on 7/12/99).
Overview
--------
NetCPlus is the maker of low-cost business email solutions such as
SmartServer3, BrowseGate, and MailTreeve. SmartServer3 is a product that
contains SMTP and POP3 servers. The POP3 server, however, has a security
vulnerability in the form of a buffer overflow. If one sends a large string
(~1000 characters) to the POP3 server, the server replies with "-ERR non-
existant command" (sic) and the POP3 server stops running. This causes a
page fault in KERNEL32.DLL, but does not appear to be exploitable. However,
when the string "USER <~800 char's>\r\n\r\n" is sent, a fault is caused in
NCPOPSERV.EXE. This can be exploited to allow a remote attacker to execute
arbitrary code on the victim server.
Impact
------
Remote users can exploit a buffer overflow and execute commands on the
POP3 server's machine.
Appendix A, Software Information
--------------------------------
NetCPlus Internet Solutions, Ltd.
www.netcplus.com
www.netcplus.co.uk
NetCPlus is soon releasing SmartServer3 version 3.60 which fixes this
security flaw.
http://www.bindview.com/security
--
