-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2011.0098.2
          A vulnerability has been identified in NJStar MiniSmtp
                              8 November 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              NJStar Communicator Version 3
                      NJStar Chinese Word Processor Version 5.30
                      NJStar Japanese Word Processor Version 5.30
                      NJStar Express Mail
Operating System:     Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:           None
CVE Names:            CVE-2011-4040  
Member content until: Thursday, May  3 2012

Revision History:     November 8 2011: Patches released
                      November 3 2011: Initial Release

OVERVIEW

        A vulnerability has been identified in multiple NJStar products 
        including, but not limited to NJStar Communicator, NJStar Chinese Word 
        Processor, NJStar Japanese Word Processor & NJStar Express Mail.


IMPACT

        A MiniSmtp server listening on port TCP/25 is provided with NJStar 
        Communicator, NJStar Chinese Word Processor, NJStar Japanese Word 
        Processor & NJStar Express Mail & possibly other NJStar products.
        
        A vulnerability exists in this MiniSmtp server which can be exploited 
        using malicious packets to cause a Stack Buffer Overflow.
        
        An attacker with network access to the NJStar Communicator MiniSmtp 
        server could access the system with administrative privileges and 
        potentially compromise the underlying host. [1]
        
        Exploit code has been released publicly, existing also as a 
        Metasploit module [2]
        
        UPDATE: NJStar Chinese Calendar was also vulnerable. [3]


MITIGATION

        We understand that the vulnerable MiniSmtp server is not running by 
        default, however it is started the first occasion a user sends an email 
        message using one of the NJStar products. 
        
        Therefore a possible mitigation measure may be to check for the NJStar 
        MINISMTP.exe process and if found to terminate it. It may be possible 
        to prevent it from running by not sending email using NJStar products.
        
        UPDATE: NJStar has released updates to correct this vulnerability. The
        following releases have been made:
        
          - NJStar Communicator 3.00.11918
          - NJStar Chinese Word Processor 5.30.11918
          - NJStar Japanese Word Processor 5.30.11918
          - NJStar Chinese Calendar 2.36.11918
        
        Also all old versions of the programs listed above (downloaded before
        the 5th of November 2011) can be fixed by updating the MiniSMTP.exe 
        component to version 3.0 (from v1.3x). This download can be found here:
        
          - http://ftp.njstar.com/sw/njsmtp30rel11918.exe
        
        NJStar has also changed the SMTP server configuration to only listen
        on localhost.
        
        More information is available on the NJStar website [3], and NJStar plans
        to contact all registered customers shortly.


REFERENCES

        [1] NJStar Communicator MiniSmtp packet processing buffer overflow
            vulnerability
            http://www.kb.cert.org/vuls/id/819630

        [2] Researcher Warns Of Exploitable Hole In Chinese Translation
            Software NJStar
            http://threatpost.com/en_us/blogs/researcher-warns-exploitable-hole-chinese-translation-software-njstar-110111

        [3] NJStar Security Information
            http://www.njstar.com/cms/njstar-security-information

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTrhf1+4yVqjM2NGpAQJYlQ//eQqk4gFSGA5sOfxtGwHxCUmh3wZntIY7
jvmVCWvLfR7VZEocyC7tHtaWvQX+T+WF5MrnJw4gjzXF1XcZV1dV9OvaVTJbC+oY
2osE5hiKDVR9zh6NaNaIvhn7/N0PdZNmaIXx4Lgf826LOliDiKfnqURPv95r2Y/4
sEXDkGW0qGHwJVakP0X11iLgiB6ydekwv39+c8sT+odfQbDAmnBUsGUw+Tgaq6an
qzL36WHVyKBLpgXPTTl//La+oh6UZbK3gJTOyiicbIplIIULnpfKEWfxdrKy4B+i
0E/okqlRtV2VbLx5GdWoHC+ht69iVw+MpwPyMtiSxTR5XO10q8K0JbknaqcT/NtZ
IDF8z+d8T/g5Wr5RzoA2KGrtHZ7F6Xg0faXXIHBV7ETq3AQbrfQRMKWRtwCeOQYS
kPRz7wzHX78SF19QfDq7Y+RtP/m2bdEFC5doA/7SnZaUKzYyV5tqxaNdFA1O2sDV
0n+FwsaIAb8AHHCscjMe3gKRNNPNAGQVmdQbbWrFgmvndkXSu0bskVyUhvWYuYRr
x8+wDwN4rJMk40XEthXOfkQ2yD4vfmzn435SIDKiiAD2UEsCw8LeGqtXi0LBssbf
L/grdtsWww7BO5XcS1rVeIPinlcKocnSLutebD03qV+5mWbFTq1a3BO+ghlGeJ7z
u4okLUe/U70=
=APoh
-----END PGP SIGNATURE-----