Qbik WinGate Remote Denial of Service

Affected Software

WinGate versions 5.x and 6.x (prior to 6.2.2).

Overview

WinGate by Qbik IP Management Limited is a sophisticated gateway and server product used in over 600,000 networks across the globe. More information about WinGate can be found here:
www.wingate.com

WinGate provides a number of network services including an SMTP server for email. It is this SMTP server component that is vulnerable to a remotely exploitable format string vulnerability that can lead to a remote DoS attack, resulting in the entire WinGate service being terminated. The result of the WinGate service being terminated in such a fashion is that none of the many network services it provides will be available until a manual restart is performed as well as the loss of any unsaved data.

Technical Description

The vulnerability occurs as a result of how the SMTP server component handles an incorrectly established SMTP session with a client. Upon a malicious client initiating a connection to the SMTP server the session can be forced into an invalid state by issuing commands the server was not expecting. When this occurs an error message is formatted to log the problem. It is in the formatting of this error message that malicious attacker supplied data is passed into an unsafe call to vsprintf(), leading to a format string attack that crashes the process. Arbitrary code execution cannot be leveraged from this attack.

Solution

Qbik have released WinGate version 6.2.2 to address this issue. Further information is available here:
http://www.wingate.com/news.php?id=50

Disclosure Timeline

29 June 2007 - Initial vendor notification
29 June 2007 - Initial vendor response
13 July 2007 - Vendor released fix
10 August 2007 - Public Disclosure

References

Bugtraq ID: 25272
http://www.securityfocus.com/bid/25272

CVE ID: CVE-2007-4335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4335

Credit

This vulnerability was discovered by Stephen Fewer of Harmony Security.

Disclaimer

The use of this information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Any use of this information is at the user's own risk. In no event shall the author or publisher be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.

 

Bookmark and Share