Title ===== [HS-A007] Qbik WinGate Remote Denial of Service Date ==== 10 August 2007 Affected Software ================= WinGate versions 5.x and 6.x (prior to 6.2.2). Overview ======== WinGate by Qbik IP Management Limited is a sophisticated gateway and server product used in over 600,000 networks across the globe. More information about WinGate can be found here: www.wingate.com WinGate provides a number of network services including an SMTP server for email. It is this SMTP server component that is vulnerable to a remotely exploitable format string vulnerability that can lead to a remote DoS attack, resulting in the entire WinGate service being terminated. The result of the WinGate service being terminated in such a fashion is that none of the many network services it provides will be available until a manual restart is performed as well as the loss of any unsaved data. Vulnerability Description ===================== The vulnerability occurs as a result of how the SMTP server component handles an incorrectly established SMTP session with a client. Upon a malicious client initiating a connection to the SMTP server the session can be forced into an invalid state by issuing commands the server was not expecting. When this occurs an error message is formatted to log the problem. It is in the formatting of this error message that malicious attacker supplied data is passed into an unsafe call to vsprintf(), leading to a format string attack that crashes the process. Arbitrary code execution cannot be leveraged from this attack. Solution ======== Qbik have released WinGate version 6.2.2 to address this issue. Further information is available here: http://www.wingate.com/news.php?id=50 Disclosure Timeline =================== 29 June 2007 - Initial vendor notification 29 June 2007 - Initial vendor response 13 July 2007 - Vendor released fix 10 August 2007 - Public Disclosure Credit ====== This vulnerability was discovered by Stephen Fewer of Harmony Security. Web === http://www.harmonysecurity.com/HS-A007.html Disclaimer ========== The use of this information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Any use of this information is at the user's own risk. In no event shall the author or publisher be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Copyright (c) 2007 Harmony Security