Bugtraq mailing list archives
nasty bug in wingate server, potential DOS.
From: c3rb3r () HOTMAIL COM (gregory duchemin)
Date: Fri, 14 Jul 2000 19:34:08 GMT
hi, I have recently downloaded a trial version of wingate proxy server 4.0.1 and installed it on a win98 box. While playing arround with the pop3 proxy feature, i have discovered that the software allows pop3 address encapsulation in the USER command. Proxying is not a native capability of POP3 protocol, to do that, wingate need a special crafted login string in the following format: USER login@host.domain where login is the owner of the pop3 account and host.domain, the address of the real pop3 server to forward the request to. The "PASS" field doesn't change. if someone submit a USER command like this: USER login@host.domain@127.0.0.1@127.0.0.1 PASS what3ver_u_want it should be accepted and the managment console whill show up 2 more active connections. It seems there are no limitation on the size of the login and so on the number of proxy relays we can use leading in a potential ressource starvation DOS (memory, cpu usage etc...) I think connection to 127.0.0.1 should be filtered by default, number of proxy relays should be limited, proxy relays should be declared trusted somewhere in an authorization file. I didn't had the time to investigate wingate for a long time so feel free to correct me if i'm wrong. have a nice day =================================== ----------------------------------- // Gregory Duchemin --**-- Security consultant // NEUROCOM CANADA // 1001 BD MAISONNEUVE // H2L 4P9 MONTREAL // QUEBEC CANADA // Phone: 514 940 1800 ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Current thread:
- nasty bug in wingate server, potential DOS. gregory duchemin (Jul 14)
- <Possible follow-ups>
- Re: nasty bug in wingate server, potential DOS. Tony Langdon (Jul 17)