Vulnerabilities > CVE-2005-2472 - Remote Buffer Overflow vulnerability in Netcplus Businessmail 4.60.00

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
netcplus
nessus
exploit available
NVD
Published: 2005-08-05
Updated: 2017-07-11

Summary

Multiple buffer overflows in BusinessMail 4.60.00 allow remote attackers to cause a denial of service (application crash) via a long string to SMTP (1) HELO or (2) MAIL FROM commands.

Vulnerable Configurations

Part Description Count
Application
Netcplus
1

Exploit-Db

  • descriptionBusinessMail <= 4.60.00 Remote Buffer Overflow Exploit. CVE-2005-2472. Dos exploit for windows platform
    idEDB-ID:1164
    last seen2016-01-31
    modified2005-07-30
    published2005-07-30
    reporterReed Arvin
    sourcehttps://www.exploit-db.com/download/1164/
    titleBusinessMail <= 4.60.00 - Remote Buffer Overflow Exploit
  • descriptionBusinessMail Server <= 4.60.00 Remote Denial of Service Exploit. CVE-2005-2472. Dos exploit for windows platform
    idEDB-ID:1126
    last seen2016-01-31
    modified2005-08-01
    published2005-08-01
    reporterKozan
    sourcehttps://www.exploit-db.com/download/1126/
    titleBusinessMail Server <= 4.60.00 - Remote Denial of Service Exploit

Nessus

NASL familySMTP problems
NASL idBUSINESSMAIL_SMTP_OVERFLOWS.NASL
descriptionThe remote host is running BusinessMail, a commercial mail server for Windows from NetCPlus. The version of BusinessMail on the remote host fails to sanitize input to the
last seen2020-06-01
modified2020-06-02
plugin id19365
published2005-08-02
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/19365
titleBusinessMail Multiple SMTP Command Remote Buffer Overflows
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description) {
  script_id(19365);
  script_version("1.19");

  script_cve_id("CVE-2005-2472");
  script_bugtraq_id(14434);

  script_name(english:"BusinessMail Multiple SMTP Command Remote Buffer Overflows");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote SMTP server is susceptible to buffer overflow attacks." );
 script_set_attribute(attribute:"description", value:
"The remote host is running BusinessMail, a commercial mail server for
Windows from NetCPlus. 

The version of BusinessMail on the remote host fails to sanitize input
to the 'HELO' and 'MAIL FROM' SMTP commands, which can be exploited by
an unauthenticated, remote attacker to crash the SMTP service and
possibly even execute arbitrary code within the context of the server
process." );
 script_set_attribute(attribute:"see_also", value:"http://reedarvin.thearvins.com/20050730-01.html" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ac6c13db" );
 script_set_attribute(attribute:"see_also", value:"http://www.attrition.org/pipermail/vim/2007-June/001640.html" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to BusinessMail 4.7 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/02");
 script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/01");
 script_cvs_date("Date: 2018/06/27 18:42:26");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  script_summary(english:"Checks for remote buffer overflow vulnerabilities in BusinessMail");
  script_category(ACT_MIXED_ATTACK);
  script_family(english:"SMTP problems");
  script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
  script_dependencies("smtpserver_detect.nasl");
  script_require_ports("Services/smtp", 25);
  exit(0);
}


include("global_settings.inc");
include("smtp_func.inc");
include("misc_func.inc");

port = get_service(svc:"smtp", default: 25, exit_on_fail: 1);
if (get_kb_item('SMTP/'+port+'/broken')) exit(0);


# If the banner suggests it's BusinessMail...
banner = get_smtp_banner(port:port);
if (banner && "BusinessMail SMTP server" >< banner) {
  # If safe checks are enabled...
  if (safe_checks()) {
    if (banner =~ "BusinessMail SMTP server ([0-3]\.|4\.([0-5].*|60.*|61\.0[0-2]))") {
      report = 
"Note that Nessus has determined the vulnerability exists on the
remote host simply by looking at the software's banner.
"; 
      security_hole(port:port, extra:report);
    }
  }
  # Otherwise...
  else {
    # Let's try to crash it.
    soc = smtp_open(port:port, helo:"nessus");
    if (!soc) exit(0);

    c = 'MAIL FROM:' + crap(1000);
    send(socket:soc, data: c+'\r\n');
    s = smtp_recv_line(socket:soc);
    close(soc);

    # Try once to reconnect.
    sleep(1);
    soc = open_sock_tcp(port);
    if (!soc)
    {
      if (service_is_dead(port: port) > 0)
        security_hole(port);
      exit(0);
    }
    if (!smtp_recv_line(socket:soc)) {
      security_hole(port);
      exit(0);
    }
    close(soc);
  }
}

References