https://cxsecurity.com/issue/WLB-2007100075
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-236

SMail1.4.3及其早期版本存在缓冲区溢出漏洞。远程攻击者借助(1)MAILFROM或者(2)RCPTTO字段中的超长域名执行任意代码。

NGSSoftware Insight Security Research Advisory

Name:                    ISMAIL v 1.25 & v 1.4.3 Remote Buffer Overrun
Systems Affected:  WinNT, Win2K, XP
Severity:                 High Risk
Category:               Remote Buffer Overrun
Vendor URL:         http://instantservers.com/ismail.html
Author:                  Mark Litchfield (mark (at) ngssoftware (dot) com [email concealed])
Date:                     27th February 2003
Advisory number: #NISR27022003

Vendor Description
******************

ISMail is a powerful yet easy to use mail server for Windows
95/98/ME/NT/2000 & XP.  It supports complete email service for both home and
office use, and runs on a dedicated or a shared machine

Details
*******

There exists a buffer overrun vulnerability in the SMTP service offered by
ISMAIL.  By supplying long Domain name values in either the MAIL FROM: or
RCPT TO: values, an attacker can overwrite the saved returned return address
on the stack.  As ISMAIL runs as a LOCALSYSTEM account, any arbitrary code
executed on the server being passed by an attacker will run with system
privileges.  If no code is supplied, ISMAIL will simply crash leaving a file
in the outgoing message folder which will immediately trigger the error once
ISMail is restarted.

Fix Information
***************
The vendor has fixed the problems using the following:

ISMail 1.4.5 (and subsequent versions) accept domain names up to 255
characters in length. Domain names exceeding this length in the 'mail from'
and 'rcpt to' commands will result in a response of: '501 Syntax error in
parameters'
Further, SMTP 'mail from' and 'rcpt to' command lines exceeding 1024
characters (including the CRLF) will result in a response of: '500 Line too
long'

The fix is available from http://instantservers.com/download/ism145.exe
Despite this is a BETA release, if you are running ISMAIL version 1.4.3 or
below, NGS recommend upgrading to the BETA version to protect yourself from
possible attacks.

I would like to add that the vendors of ISMAIL reproduced, fixed and made a
patch available within 48 hours of notification

A check for these issues has been added to Typhon II, of which more
information is available from the
NGSSoftware website, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

来源:XF
名称:ismail-smtp-domain-bo(11432)
链接:http://xforce.iss.net/xforce/xfdb/11432
来源:BUGTRAQ
名称:20030227ISMAIL(AllVersions)RemoteBufferOverrun
链接:http://www.securityfocus.com/archive/1/313363
来源:BID
名称:6972
链接:http://www.securityfocus.com/bid/6972
来源:SREASON
名称:3254
链接:http://securityreason.com/securityalert/3254