SECURITY.NNO: FTGate PRO/Office hotfixes

From: 3APA3A (3APA3Aat_private)
Date: Wed Apr 03 2002 - 08:18:26 PST

Next message: dhaltermat_private: "RFC: suggestions for SSL security enhancements in Microsoft Internet Explorer"

Previous message: Florian Hobelsberger / BlueScreen: "Dynamic Guestbook V3.0 Cross Site Scripting and Arbitrary Command Execution under certain circumstances"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear bugtraq,

Original version available at http://www.security.nnov.ru/advisories/ftgate.asp

Title                   : FTGate PRO/Office hotfixes
Author                  : 3APA3A <3APA3Aat_private>
Date                    : December, 18 2001
Affected                : FTGate PRO 1.05, FTGate Office 1.05
Vendor                  : Floositek [1]
Risk                    : high
Remote                  : yes
Exploitable             : yes

Intro:

Ftgate  is Internet mail server for Windows with SMTP/POP3 support and a
lot   of   additional  features  by  Floositek[1].  During  testing  few
vulnerabilities   were   found  by  Ilya  Teterin  aka  buggzy  [4]  and
SECURITY.NNOV [3].

Details:

1. Heap overflow in APOP command

FTGate  detects  buffer  overflow  attack  attempts.  If attack detected
source  IP  is  banned. But in case of APOP command it still possible to
overflow dynamic buffer with

 APOP USER <BUFFER>

it  causes  program  to crash immediately or after buffer is free()'d if
buffer  size  is  in  range of approximately 1-2k. FTGateSrv.exe crashes
with message like

      FTGateSrv.exe - Application error

      The instruction at 0x002b686b referenced memory at 0x41414145. The
      memory couldn't be "read".

      002B6865   mov         edx,dword ptr [ebp-20h]
      002B6868   mov         eax,dword ptr [edx+4]
      002B686B   call        dword ptr [eax+4]

(as you can see in example this problem can be exploited to execute code
of attacker's choice, but there are few different crash situations. It's
not clear if this problem can always be exploited remotely.)

2. DoS via Rcpt to: flood

By  specifying  huge number of Rcpt to: in SMTP session it's possible to
cause  memory leak. During and after attack server will use 100% CPU.

3. DoS against POP3 mailbox.

As  reported  by  buggzy [4] mailbox can be locked before authentication
via POP3 USER command.

Vendor:

Vendor  released  patches for FTGate PRO and FTGate Office [2] within 24
hours after problem was committed.

References:

1. Floositek Ltd
   http://www.floositek.com
2. Hotfixes for FTGatePro V1.05
   http://www.ftgate.com/knwldgbs/hotfix.htm
3. Multiple bugs in FTGate
   http://www.security.nnov.ru/search/news.asp?binid=1884
4. Головоломка для хакера, взлом FTGate 
   http://securitylab.ru/?ID=29407


-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Next message: dhaltermat_private: "RFC: suggestions for SSL security enhancements in Microsoft Internet Explorer"
Previous message: Florian Hobelsberger / BlueScreen: "Dynamic Guestbook V3.0 Cross Site Scripting and Arbitrary Command Execution under certain circumstances"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 18:47:51 PST