[NT] FTGate PRO/Office Security Vulnerabilities (Released Hotfixes)

From: support@securiteam.com
Date: 04/04/02


From: support@securiteam.com
To: list@securiteam.com
Date: Thu,  4 Apr 2002 10:20:08 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  FTGate PRO/Office Security Vulnerabilities (Released Hotfixes)
------------------------------------------------------------------------

SUMMARY

 <http://www.floositek.com> FTGate is Internet mail server for Windows
with SMTP/POP3 support and many additional features. Multiple security
vulnerabilities have been discovered in the product.

DETAILS

Vulnerable systems:
FTGate PRO version 1.05
FTGate Office version 1.05

Immune systems:
FTGate PRO version 1.05 with Hotfixes

1. Heap overflow in APOP command
FTGate attempts to detect buffer overflow attacks. If an attack is
detected the source IP is banned from access. However, in the case of APOP
command it still possible to overflow dynamic buffer with

 APOP USER <BUFFER>

This will cause the program to crash immediately or after buffer is
free()'d if buffer size is in range of approximately 1-2k.

FTGateSrv.exe crashes with message like
      FTGateSrv.exe - Application error

       The instruction at 0x002b686b referenced memory at 0x41414145. The
       memory couldn't be "read".

      002B6865 mov edx,dword ptr [ebp-20h]
      002B6868 mov eax,dword ptr [edx+4]
      002B686B call dword ptr [eax+4]

(As you can see in example, this problem can be exploited to execute code
of attacker's choice, but there are few different crash situations. It is
not clear if this problem can always be exploited remotely)

2. DoS via Rcpt to: flood
By specifying a huge number of "Rcpt to:" in SMTP session, it is possible
to cause a memory leak. During and after the attack server's CPU
consumption remain at 100%.

3. DoS against POP3 mailboxes
A mailbox can be locked before authentication via the usage of the POP3
USER command.

Vendor:
Vendor released patches for FTGate PRO and FTGate Office within 24 hours
after problem was committed.

Solution:
Upgrade to the latest version, or install the Hotfixes available at:
 <http://www.ftgate.com/knwldgbs/hotfix.htm>
http://www.ftgate.com/knwldgbs/hotfix.htm

ADDITIONAL INFORMATION

The information has been provided by <mailto:3APA3A@SECURITY.NNOV.RU>
3APA3A.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [Full-disclosure] Raising Robot Criminals
    ... identity theft and robot-driven attack propagation. ... security as well as on Sql Injection, this text is not yet another one. ... security numbers - are opened for remote penetration. ...
    (Full-Disclosure)
  • [Full-disclosure] STEP Security
    ... Internet-Drafts are working documents of the Internet Engineering ... security in otherwise insecure environments. ... APT (Another Possible Threat) ... of a cyber attack before more terabytes of data are exfiltrated from ...
    (Full-Disclosure)
  • =?windows-1252?Q?Re=3A_Lahore=2DTerror_Attacks=3A_RAW=92s_Guerilla_Warfare?=
    ... security forces have been martyred in foiling three separate terrorist ... attacks by killing 9 terrorists at FIA Building, ... suicide attack in Kohat. ... been waging a guerilla warfare in Pakistan through its well-trained ...
    (sci.military.naval)
  • [NT] DCE RPC Vulnerabilities New Attack Vectors Analysis
    ... Get your security news from a reliable source. ... These new attack methods were found while researching exploitation ... They might also apply to other vulnerabilities such as the DCE RPC DCOM ...
    (Securiteam)
  • Risks Digest 24.91
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Adi Shamir's bug attack ... Security company e-mail undercuts user education ...
    (comp.risks)