CommuniCrypt Mail Buffer Overflow Vulnerability in ActiveX Controls

A stack-based buffer overflow vulnerability has been identified in CommuniCrypt Mail versions through 1.16. The issue resides in the ANSMTP.dll and AOSMTP.dll ActiveX controls, specifically within the AddAttachments() method. This method does not properly validate the length of input strings, allowing data to overflow a fixed-size stack buffer. Exploitation of this vulnerability can corrupt adjacent memory structures, including exception handlers, potentially leading to arbitrary code execution with SYSTEM-level privileges.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with SYSTEM-level privileges, completely compromising the affected system.

Reproduction

The vulnerability can be reproduced by creating a web page that includes an ActiveX object for the CommuniCrypt Mail ANSMTP.dll or AOSMTP.dll control. The AddAttachments() method can be called with a string that exceeds the buffer limit, causing a stack-based buffer overflow. This can be automated with a Metasploit module that exploits the vulnerability by sending a crafted payload that includes the overflow data and a return address to hijack the control flow.