COMMAND

	ISMAIL remote buffer overrun

SYSTEMS AFFECTED

	ISMAIL v 1.25 & v 1.4.3

PROBLEM

	In  Mark  Litchfield  [mark@ngssoftware.com]  of   NGSSoftware   Insight
	Security Research advisory [#NISR27022003] :
	
	 http://www.ngssoftware.com
	
	
	--snipp--
	
	ISMail  is  a  powerful  yet  easy  to  use  mail  server  for   Windows
	95/98/ME/NT/2000 & XP. It supports complete email service  for  both
	home and office use, and runs on a dedicated or a shared machine
	
	
	 Details
	 *******
	
	There exists a buffer overrun vulnerability in the SMTP service  offered
	by ISMAIL. By supplying long Domain  name  values  in  either  the  MAIL
	FROM: or RCPT TO: values, an attacker can overwrite the  saved  returned
	return address on the stack. As ISMAIL runs as  a  LOCALSYSTEM  account,
	any arbitrary code executed on the server being passed  by  an  attacker
	will run with system privileges. If no code  is  supplied,  ISMAIL  will
	simply crash leaving a file in the outgoing message  folder  which  will
	immediately trigger the error once ISMail is restarted.

SOLUTION

	The vendor has fixed the problems using the following:
	
	ISMail 1.4.5 (and subsequent versions) accept domain  names  up  to  255
	characters in length. Domain names exceeding this length  in  the  'mail
	from' and 'rcpt to' commands will result in a response of:  '501  Syntax
	error in parameters' Further, SMTP 'mail from'  and  'rcpt  to'  command
	lines exceeding 1024 characters (including the CRLF) will  result  in  a
	response of: '500 Line too long'
	
	The fix is available from  http://instantservers.com/download/ism145.exe
	Despite this is a BETA release, if you are running ISMAIL version  1.4.3
	or below, NGS  recommend  upgrading  to  the  BETA  version  to  protect
	yourself from possible attacks.
	
	--snap--