SECURITY.NNO: FTGate PRO/Office hotfixes
From: 3APA3A (3APA3A@SECURITY.NNOV.RU)Date: 04/03/02
- Previous message: Florian Hobelsberger / BlueScreen: "Dynamic Guestbook V3.0 Cross Site Scripting and Arbitrary Command Execution under certain circumstances"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 3 Apr 2002 20:18:26 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> To: bugtraq@securityfocus.com
Dear bugtraq,
Original version available at http://www.security.nnov.ru/advisories/ftgate.asp
Title : FTGate PRO/Office hotfixes
Author : 3APA3A <3APA3A@security.nnov.ru>
Date : December, 18 2001
Affected : FTGate PRO 1.05, FTGate Office 1.05
Vendor : Floositek [1]
Risk : high
Remote : yes
Exploitable : yes
Intro:
Ftgate is Internet mail server for Windows with SMTP/POP3 support and a
lot of additional features by Floositek[1]. During testing few
vulnerabilities were found by Ilya Teterin aka buggzy [4] and
SECURITY.NNOV [3].
Details:
1. Heap overflow in APOP command
FTGate detects buffer overflow attack attempts. If attack detected
source IP is banned. But in case of APOP command it still possible to
overflow dynamic buffer with
APOP USER <BUFFER>
it causes program to crash immediately or after buffer is free()'d if
buffer size is in range of approximately 1-2k. FTGateSrv.exe crashes
with message like
FTGateSrv.exe - Application error
The instruction at 0x002b686b referenced memory at 0x41414145. The
memory couldn't be "read".
002B6865 mov edx,dword ptr [ebp-20h]
002B6868 mov eax,dword ptr [edx+4]
002B686B call dword ptr [eax+4]
(as you can see in example this problem can be exploited to execute code
of attacker's choice, but there are few different crash situations. It's
not clear if this problem can always be exploited remotely.)
2. DoS via Rcpt to: flood
By specifying huge number of Rcpt to: in SMTP session it's possible to
cause memory leak. During and after attack server will use 100% CPU.
3. DoS against POP3 mailbox.
As reported by buggzy [4] mailbox can be locked before authentication
via POP3 USER command.
Vendor:
Vendor released patches for FTGate PRO and FTGate Office [2] within 24
hours after problem was committed.
References:
1. Floositek Ltd
http://www.floositek.com
2. Hotfixes for FTGatePro V1.05
http://www.ftgate.com/knwldgbs/hotfix.htm
3. Multiple bugs in FTGate
http://www.security.nnov.ru/search/news.asp?binid=1884
4. Головоломка для хакера, взлом FTGate
http://securitylab.ru/?ID=29407
-- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)
