SECURITY.NNO: FTGate PRO/Office hotfixes

2002-04-03T00:00:00
ID SECURITYVULNS:DOC:2713
Type securityvulns
Reporter Securityvulns
Modified 2002-04-03T00:00:00

Description

Dear bugtraq,

Original version available at http://www.security.nnov.ru/advisories/ftgate.asp

Title : FTGate PRO/Office hotfixes Author : 3APA3A <3APA3A@security.nnov.ru> Date : December, 18 2001 Affected : FTGate PRO 1.05, FTGate Office 1.05 Vendor : Floositek [1] Risk : high Remote : yes Exploitable : yes

Intro:

Ftgate is Internet mail server for Windows with SMTP/POP3 support and a lot of additional features by Floositek[1]. During testing few vulnerabilities were found by Ilya Teterin aka buggzy [4] and SECURITY.NNOV [3].

Details:

  1. Heap overflow in APOP command

FTGate detects buffer overflow attack attempts. If attack detected source IP is banned. But in case of APOP command it still possible to overflow dynamic buffer with

APOP USER <BUFFER>

it causes program to crash immediately or after buffer is free()'d if buffer size is in range of approximately 1-2k. FTGateSrv.exe crashes with message like

  FTGateSrv.exe - Application error

  The instruction at 0x002b686b referenced memory at 0x41414145. The
  memory couldn&#39;t be &quot;read&quot;.

  002B6865   mov         edx,dword ptr [ebp-20h]
  002B6868   mov         eax,dword ptr [edx+4]
  002B686B   call        dword ptr [eax+4]

(as you can see in example this problem can be exploited to execute code of attacker's choice, but there are few different crash situations. It's not clear if this problem can always be exploited remotely.)

  1. DoS via Rcpt to: flood

By specifying huge number of Rcpt to: in SMTP session it's possible to cause memory leak. During and after attack server will use 100% CPU.

  1. DoS against POP3 mailbox.

As reported by buggzy [4] mailbox can be locked before authentication via POP3 USER command.

Vendor:

Vendor released patches for FTGate PRO and FTGate Office [2] within 24 hours after problem was committed.

References:

  1. Floositek Ltd http://www.floositek.com
  2. Hotfixes for FTGatePro V1.05 http://www.ftgate.com/knwldgbs/hotfix.htm
  3. Multiple bugs in FTGate http://www.security.nnov.ru/search/news.asp?binid=1884
  4. &Atilde;&icirc;&euml;&icirc;&acirc;&icirc;&euml;&icirc;&igrave;&ecirc;&agrave; &auml;&euml;&yuml; &otilde;&agrave;&ecirc;&aring;&eth;&agrave;, &acirc;&ccedil;&euml;&icirc;&igrave; FTGate http://securitylab.ru/?ID=29407

-- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)