Buffer Overrun in ITHouse Mail Server
Reported June 1 by
Delphis Consulting Internet Security Team

VERSIONS EFFECTED
ITHouse Mail Server v1.04

DESCRIPTION

The SMTP mail service can be made to crash by sending a string of 2270 characters as a parameter to the RCPT TO command. During the crash characters beyond 2270 overwrite the EIP register making it possible to run abritrary code on the remote system.

DEMONSTRATION

HELO example.domain
MAIL FROM: example@example.domain
RCPT TO: <A x 2270> + EIP code
DATA
.
QUIT

VENDOR RESPONSE

The vendor, ITHouse, is aware of the problem and has released a patch which is available from their support department.

CREDITS
Discovered and reported by Delphis Consulting Internet Security Team