Title
=====
[HS-A007] Qbik WinGate Remote Denial of Service
Date
====
10 August 2007
Affected Software
=================
WinGate versions 5.x and 6.x (prior to 6.2.2).
Overview
========
WinGate by Qbik IP Management Limited is a sophisticated gateway and
server product used in over 600,000 networks across the globe. More
information about WinGate can be found here: www.wingate.com
WinGate provides a number of network services including an SMTP server
for email. It is this SMTP server component that is vulnerable to a
remotely exploitable format string vulnerability that can lead to a
remote DoS attack, resulting in the entire WinGate service being
terminated. The result of the WinGate service being terminated in such a
fashion is that none of the many network services it provides will be
available until a manual restart is performed as well as the loss of any
unsaved data.
Vulnerability Description
=====================
The vulnerability occurs as a result of how the SMTP server component
handles an incorrectly established SMTP session with a client. Upon a
malicious client initiating a connection to the SMTP server the session
can be forced into an invalid state by issuing commands the server was
not expecting. When this occurs an error message is formatted to log the
problem. It is in the formatting of this error message that malicious
attacker supplied data is passed into an unsafe call to vsprintf(),
leading to a format string attack that crashes the process. Arbitrary
code execution cannot be leveraged from this attack.
Solution
========
Qbik have released WinGate version 6.2.2 to address this issue. Further
information is available here: http://www.wingate.com/news.php?id=50
Disclosure Timeline
===================
29 June 2007 - Initial vendor notification
29 June 2007 - Initial vendor response
13 July 2007 - Vendor released fix
10 August 2007 - Public Disclosure
Credit
======
This vulnerability was discovered by Stephen Fewer of Harmony Security.
Web
===
http://www.harmonysecurity.com/HS-A007.html
Disclaimer
==========
The use of this information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information. Any
use of this information is at the user's own risk. In no event shall the
author or publisher be liable for any direct or indirect damages
whatsoever arising out of or in connection with the use or spread of
this information.
Copyright (c) 2007 Harmony Security