<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2657.88">
<TITLE>[ACSSEC-2005-11-25-0x5] FTGate 4.4 [Build 4.4.000 Oct 26 2005] Format String Overflow</TITLE>
</HEAD>
<BODY>
<BR>
<P><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
<BR><FONT SIZE=2>ACS Security Assessment Advisory - Format String Overflow</FONT>
</P>
<P><FONT SIZE=2>ID: ACSSEC-2005-11-25 - 0x5</FONT>
</P>
<P><FONT SIZE=2>Class: Format String Overflow</FONT>
<BR><FONT SIZE=2>Package: FTGate 4.4 [Build 4.4.000 Oct 26 2005] POP3 Service</FONT>
<BR><FONT SIZE=2>Build: Windows NT/2k/XP/2k3</FONT>
<BR><FONT SIZE=2>Notified: Dec 01, 2005</FONT>
<BR><FONT SIZE=2>Released: Dec 20, 2005</FONT>
</P>
<P><FONT SIZE=2>Remote: Yes</FONT>
<BR><FONT SIZE=2>Severity: Medium (Pre-Authentication)</FONT>
</P>
<P><FONT SIZE=2>Credit: Tim Shelton <security-advisories@acs-inc.com></FONT>
<BR><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
</P>
<P><FONT SIZE=2>-=[ Background</FONT>
</P>
<P><FONT SIZE=2>FTGate4 is a powerful Windows(TM) communication suite that combines </FONT>
<BR><FONT SIZE=2>exceptional mail handling facilities with comprehensive Groupware </FONT>
<BR><FONT SIZE=2>functionality. Its security and collaboration features were developed </FONT>
<BR><FONT SIZE=2>in conjunction with leading ISP's and define a new era in mail server </FONT>
<BR><FONT SIZE=2>performance.</FONT>
</P>
<BR>
<P><FONT SIZE=2>-=[ Technical Description</FONT>
</P>
<P><FONT SIZE=2>FTGate 4.4 [Build 4.4.000 Oct 26 2005] is vulnerable to multiple format string overflows via specially crafted POP3 requests. A remote attacker could issue the vulnerable command followed by a malicious code to execute arbitrary code.</FONT></P>
<BR>
<P><FONT SIZE=2>-=[ Proof of Concepts</FONT>
</P>
<P><FONT SIZE=2>USER (%n times 20) </FONT>
<BR><FONT SIZE=2>PASS (%n times 20)</FONT>
<BR><FONT SIZE=2>TOP (%n times 20) 1</FONT>
</P>
<P><FONT SIZE=2>-=[ Solution</FONT>
<BR><FONT SIZE=2>No remedy available as of December 2005.</FONT>
</P>
<P><FONT SIZE=2>-=[ Credits</FONT>
</P>
<P><FONT SIZE=2>Vulnerability originally reported by Tim Shelton</FONT>
</P>
<BR>
<P><FONT SIZE=2>-=[ ChangeLog</FONT>
</P>
<P><FONT SIZE=2>2005-11-25 : Original Advisory</FONT>
<BR><FONT SIZE=2>2005-12-01 : Notified Vendors</FONT>
<BR><FONT SIZE=2>2005-12-20 : No response from vendor, disclosing full information.</FONT>
</P>
</BODY>
</HTML>