-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



1st Up Mail Server v4.1 Buffer Overflow Vulnerability



USSR Advisory Code:  USSR-2000058



Public Disclosure Date:

December 25, 2000



Vendors Affected:

Upland Ltd

http://www.upland.co.uk/



Systems Affected:

1st Up Mail Server v4.1



Problem:

The Ussr Team has recently discovered a Buffer Overflow in 1st Up

Mail Server v4.1 where they do not use proper bounds checking.

The overflow is in the field "mail from: <", a large number

of aaaaaa's "> (over 300). It then displays this message:



"Application popup: smtp server: smtp server.exe - Application Error

: The instruction at "0x00402f23" referenced memory at "0x61616161".

The memory could not be "read".



Click on OK to terminate the program

Click on CANCEL to debug the program "



This results in a Denial of Service against the service

in question.



Vendor Status:

Informed

Contacted

Patch Available



Fix:

Upgrade to version 1st Up Mail Server 4.1.4e



http://www.upland.co.uk/1stup/UpMailSetUp.EXE



Related Links:



Underground Security Systems Research:

http://www.ussrback.com



CrunchSp Product:

http://www.crunchsp.com



About:



USSR is an emerging security company based in South America.

We are devoted to network security research, vulnerability research,

and software protection systems. One of the main objectives of USSR

is to develop and implement cutting edge security and protection

systems

that cater to an evolving market.



We believe that the way we implement security solutions can make a

difference. CrunchSP is an example, providing a solution to software

piracy. Our solutions such as CrunchSP are devoted to protecting your

enterprise.



On a daily basis, we research, develop, discover and report

vulnerability information.  We make this information freely available

via public forums such as BugTraq, and our advisory board located at

http://www.ussrback.com.



The USSR is a highly skilled, experienced team.  Many USSR

programmers, as well as programmers of partners and affiliates, are

seasoned professionals, with 12 or more years of industry experience.

 A

knowledge base of numerous computer applications as well as many high

and

low

level programming languages makes USSRback a diverse team of experts

prepared to serve the needs of any customer.



USSR has assembled some of the world's greatest software developers

and security consultants to provide our customers with a wide range

of enterprise level services.  These services include:



* Network Penetration Testing

* Security Application development

* Application Security Testing and Certification

* Security Implementations

* Cryptography

* Emergency Response Team

* Firewalling

* Virtual Private Networking

* Intrusion Detection

* Support and maintenance



For more information, please contact us via email at

labs@ussrback.com.



Copyright (c) 1999-2000 Underground Security Systems Research.

Permission is hereby granted for the redistribution of this alert

electronically. It is not to be edited in any way without explicit

consent of USSR. If you wish to reprint whole or any part of this

alert in any other medium excluding electronic medium, please e-mail

labs@ussrback.com for permission.



Disclaimer:

The information within this paper may change without notice. We may

not be held responsible for the use and/or potential effects of these

programs or advisories.  Use them and read them at your own risk or

not at all. You solely are responsible for this judgment.



Feedback:



If you have any questions, comments, concerns, updates, or

suggestions please feel free to send them to:



Underground Security Systems Research

mail:labs@ussrback.com

http://www.ussrback.com



-----BEGIN PGP SIGNATURE-----

Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>



iQA/AwUBOkgZctybEYfHhkiVEQIxMACg/F5Wz6duPU/rYa/TR2joTHtsECUAnRcx

LVFBJdQdmwP53C/Uz/LucF8/

=qQZu

-----END PGP SIGNATURE-----