nasty bug in wingate server, potential DOS.

[c3rb3r () HOTMAIL COM (gregory duchemin)]

hi,

I have recently downloaded a trial version of wingate proxy server 4.0.1 and
installed it on a win98 box.
While playing arround with the pop3 proxy feature, i have discovered that
the software allows pop3 address encapsulation in the USER command.
Proxying is not a native capability of POP3 protocol, to do that, wingate
need a special crafted login string in the following format:
USER login@host.domain where login is the owner of the pop3 account and
host.domain, the address of the real pop3 server to forward the request to.
The "PASS" field doesn't change.

if someone submit a USER command like this:

USER login@host.domain@127.0.0.1@127.0.0.1
PASS what3ver_u_want

it should be accepted and the managment console whill show up 2 more active
connections. It seems there are no limitation on the size of the login and
so on the number of proxy relays we can use leading in a potential ressource
starvation DOS (memory, cpu usage etc...)

I think connection to 127.0.0.1 should be filtered by default, number of
proxy relays should be limited, proxy relays should be declared trusted
somewhere in an authorization file.
I didn't had the time to investigate wingate for a long time so feel free to
correct me if i'm wrong.

have a nice day

===================================
-----------------------------------

// Gregory Duchemin  --**-- Security consultant

// NEUROCOM CANADA
// 1001 BD MAISONNEUVE
// H2L 4P9 MONTREAL
// QUEBEC CANADA
// Phone: 514 940 1800
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com