[NT] FTGate PRO/Office Security Vulnerabilities (Released Hotfixes)
From: support@securiteam.comDate: 04/04/02
- Previous message: support@securiteam.com: "[NT] Lotus Domino Physical Path Revealed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 4 Apr 2002 10:20:08 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
FTGate PRO/Office Security Vulnerabilities (Released Hotfixes)
------------------------------------------------------------------------
SUMMARY
<http://www.floositek.com> FTGate is Internet mail server for Windows
with SMTP/POP3 support and many additional features. Multiple security
vulnerabilities have been discovered in the product.
DETAILS
Vulnerable systems:
FTGate PRO version 1.05
FTGate Office version 1.05
Immune systems:
FTGate PRO version 1.05 with Hotfixes
1. Heap overflow in APOP command
FTGate attempts to detect buffer overflow attacks. If an attack is
detected the source IP is banned from access. However, in the case of APOP
command it still possible to overflow dynamic buffer with
APOP USER <BUFFER>
This will cause the program to crash immediately or after buffer is
free()'d if buffer size is in range of approximately 1-2k.
FTGateSrv.exe crashes with message like
FTGateSrv.exe - Application error
The instruction at 0x002b686b referenced memory at 0x41414145. The
memory couldn't be "read".
002B6865 mov edx,dword ptr [ebp-20h]
002B6868 mov eax,dword ptr [edx+4]
002B686B call dword ptr [eax+4]
(As you can see in example, this problem can be exploited to execute code
of attacker's choice, but there are few different crash situations. It is
not clear if this problem can always be exploited remotely)
2. DoS via Rcpt to: flood
By specifying a huge number of "Rcpt to:" in SMTP session, it is possible
to cause a memory leak. During and after the attack server's CPU
consumption remain at 100%.
3. DoS against POP3 mailboxes
A mailbox can be locked before authentication via the usage of the POP3
USER command.
Vendor:
Vendor released patches for FTGate PRO and FTGate Office within 24 hours
after problem was committed.
Solution:
Upgrade to the latest version, or install the Hotfixes available at:
<http://www.ftgate.com/knwldgbs/hotfix.htm>
http://www.ftgate.com/knwldgbs/hotfix.htm
ADDITIONAL INFORMATION
The information has been provided by <mailto:3APA3A@SECURITY.NNOV.RU>
3APA3A.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Lotus Domino Physical Path Revealed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
