SmartServer3 POP3

[advisory+netcpop3 () BOS BINDVIEW COM (BindView Advisory)]

BindView Security Advisory

SmartServer3 Remote Buffer Overflow Technical Advisory

Issue date:  11/11/99
Contact:  Andrew Reiter <areiter () bos bindview com>

Topic
-----

There is a buffer overflow in NetCPlus' SmartServer3 POP3 server which can
allow a remote attacker to execute arbitrary code on the machine.

Affected Systems
----------------

Windows 95/98/NT machines running NetCPlus' SmartServer3 program with
the POP3 server started.  The version tested was 3.51.1 (built on 7/12/99).

Overview
--------

NetCPlus is the maker of low-cost business email solutions such as
SmartServer3, BrowseGate, and MailTreeve.  SmartServer3 is a product that
contains SMTP and POP3 servers.  The POP3 server, however, has a security
vulnerability in the form of a buffer overflow.  If one sends a large string
(~1000 characters) to the POP3 server, the server replies with "-ERR non-
existant command" (sic) and the POP3 server stops running.  This causes a
page fault in KERNEL32.DLL, but does not appear to be exploitable.  However,
when the string "USER <~800 char's>\r\n\r\n" is sent, a fault is caused in
NCPOPSERV.EXE.  This can be exploited to allow a remote attacker to execute
arbitrary code on the victim server.

Impact
------

Remote users can exploit a buffer overflow and execute commands on the
POP3 server's machine.

Appendix A, Software Information
--------------------------------

NetCPlus Internet Solutions, Ltd.
www.netcplus.com
www.netcplus.co.uk

NetCPlus is soon releasing SmartServer3 version 3.60 which fixes this
security flaw.

http://www.bindview.com/security

--