Title
=====
[HS-A007] Qbik WinGate Remote Denial of Service

Date
====
10 August 2007

Affected Software
=================
WinGate versions 5.x and 6.x (prior to 6.2.2).

Overview
========
WinGate by  Qbik IP  Management Limited  is a  sophisticated gateway and
server product  used in  over 600,000  networks across  the globe.  More
information about WinGate can be found here: www.wingate.com

WinGate provides a number of  network services including an SMTP  server
for email.  It is  this SMTP  server component  that is  vulnerable to a
remotely  exploitable format  string vulnerability  that can  lead to  a
remote  DoS  attack,  resulting  in  the  entire  WinGate  service being
terminated. The result of the WinGate service being terminated in such a
fashion is that none  of the many network  services it provides will  be
available until a manual restart is performed as well as the loss of any
unsaved data.

Vulnerability Description
=====================
The vulnerability occurs  as a result  of how the  SMTP server component
handles an incorrectly  established SMTP session  with a client.  Upon a
malicious client initiating a connection to the SMTP server the  session
can be forced into an invalid  state by issuing commands the server  was
not expecting. When this occurs an error message is formatted to log the
problem. It is  in the formatting  of this error  message that malicious
attacker supplied  data is  passed into  an unsafe  call to  vsprintf(),
leading to a  format string attack  that crashes the  process. Arbitrary
code execution cannot be leveraged from this attack.

Solution
========
Qbik have released WinGate version 6.2.2 to address this issue.  Further
information is available here: http://www.wingate.com/news.php?id=50

Disclosure Timeline
===================
29 June 2007 - Initial vendor notification
29 June 2007 - Initial vendor response
13 July 2007 - Vendor released fix
10 August 2007 - Public Disclosure

Credit
======
This vulnerability was discovered by Stephen Fewer of Harmony Security.

Web
===
http://www.harmonysecurity.com/HS-A007.html

Disclaimer
==========
The use of this information constitutes  acceptance for use in an AS  IS
condition. There are no warranties with regard to this information.  Any
use of this information is at the user's own risk. In no event shall the
author  or  publisher  be  liable for  any  direct  or  indirect damages
whatsoever arising out  of or in  connection with the  use or spread  of
this information.

Copyright (c) 2007 Harmony Security