CVE-1999-1516

Vulnerability

TenFour TFS SMTP Gateway version 3.2 on Windows NT 3.x/4.x contains a buffer overflow in the SMTP service. When a remote client connects to port 25 and issues a helo command followed by a MAIL FROM string longer than 128 bytes, the server triggers a protection fault and crashes. This overflow has been confirmed to be exploitable for arbitrary code execution, and TenFour addressed it in release 4.0 [1].

Exploitation

An attacker needs no authentication or special network position; the SMTP service is typically exposed on port 25. The attack sequence is: connect via telnet, send helo, then send mail from: followed by a payload of more than 128 bytes. The advisory demonstrates this exact procedure, confirming that the crash occurs immediately upon sending the oversized string [1].

Impact

Successful exploitation crashes the TFS SMTP Gateway, causing denial of service. Additionally, because the overflow overwrites saved instruction pointers, an attacker may achieve arbitrary code execution with the privileges of the SMTP service process (typically SYSTEM on Windows NT). The advisory notes that the flaw also allows the server to be used for spamming under certain misconfigurations [1].

Mitigation

TenFour released version 4.0 to address this buffer overflow [1]. Administrators running TFS SMTP 3.2 should upgrade to 4.0 or later. No workaround is documented; restricting network access to the SMTP port (25) from untrusted sources may reduce exposure if an immediate upgrade is not possible.