exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

avirt.42.txt

avirt.42.txt
Posted Jan 19, 2002

The Avirt telnet proxy v4.2 and below has a remotely exploitable buffer overflow. Tested on Win2k. Strumpf Noir Society

tags | overflow
systems | windows
SHA-256 | b95135944e65dc824cd0d38a5ed558adbd0ce830e4673f4169c91b2793ff41bd

avirt.42.txt

Change Mirror Download
Strumpf Noir Society Advisories
! Public release !
<--#


-= Avirt Gateway Telnet Vulnerability (and more?) =-

Release date: Friday, January 18, 2002


Introduction:

The Utah, USA-based company Avirt specializes in the development
of (inter-)networking and sharing technologies. As such, it
maintains the SOHO and Gateway proxy product lines.

Recently, the SNS research team published two advisories in regards
to these products, after which we were informed of at least one other
buffer overflow vulnerability in Avirt's Gateway product line.

SNS research would like to thank mr R. Hassell for pointing this
problem out to us.

These products can be found at vendor Avirt's web site:
http://www.avirt.com


Problem:

The Avirt Gateway technology contains, amongst others, a telnet proxy.
Due to a failure to check for length of the input served to this proxy,
a buffer overflow condition exists which could be exploited to execute
arbitrary code on the target system.

To exploit this flaw an attacker would have to connect to the telnet
proxy and at the "Ready>" prompt pass it a buffer of >2000 bytes. The
service will die, EIP is overwritten.

All Avirt's Gateway products run as a NT system service by default.


(..)


Solution:

Vendor has been notified at the time this message went out. We're sure
the problem will be added to their "bug list which will be consulted
when any upgrades are made."

This was tested on a Win2k configuration with both the Avirt Gateway
v4.2 as well as the Avirt Gateway Suite v4.2.

Initially our advice for users would be to set tight trusted ip-ranges
and disable the vulnerable services when possible. In light of this new
problem however, we have to consider the possibility that boundary
checking was not a priority during development of these products. Since
fixing the problems when found doesn't seem to be one for this vendor
either, our advice is to not use these services until the problems
have been dealt with.


yadayadayada

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!


Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close