Strumpf Noir Society Advisories
! Public release !
<--#


-= Avirt Gateway Telnet Vulnerability (and more?) =-

Release date: Friday, January 18, 2002


Introduction:

The Utah, USA-based company Avirt specializes in the development
of (inter-)networking and sharing technologies. As such, it
maintains the SOHO and Gateway proxy product lines. 

Recently, the SNS research team published two advisories in regards 
to these products, after which we were informed of at least one other
buffer overflow vulnerability in Avirt's Gateway product line.

SNS research would like to thank mr R. Hassell for pointing this
problem out to us.

These products can be found at vendor Avirt's web site:
http://www.avirt.com


Problem:

The Avirt Gateway technology contains, amongst others, a telnet proxy. 
Due to a failure to check for length of the input served to this proxy,
a buffer overflow condition exists which could be exploited to execute
arbitrary code on the target system.

To exploit this flaw an attacker would have to connect to the telnet
proxy and at the "Ready>" prompt pass it a buffer of >2000 bytes. The
service will die, EIP is overwritten.

All Avirt's Gateway products run as a NT system service by default.


(..)


Solution:

Vendor has been notified at the time this message went out. We're sure
the problem will be added to their "bug list which will be consulted
when any upgrades are made."

This was tested on a Win2k configuration with both the Avirt Gateway 
v4.2 as well as the Avirt Gateway Suite v4.2.

Initially our advice for users would be to set tight trusted ip-ranges
and disable the vulnerable services when possible. In light of this new
problem however, we have to consider the possibility that boundary
checking was not a priority during development of these products. Since
fixing the problems when found doesn't seem to be one for this vendor
either, our advice is to not use these services until the problems
have been dealt with.


yadayadayada

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!