gswsshit.txt

gswsshit.txt: Posted Jan 2, 2008; Authored by Luigi Auriemma | Site aluigi.org; Georgia SoftWorks SSH2 Server versions 7.01.0003 and below are vulnerable to format string and buffer overflow vulnerabilities.; tags | advisory, overflow, vulnerability; SHA-256 | 9bc627a765585240639ddac60046d1c9debb996c1a46fe0bd10acb38328c4bf8; Download | Favorite | View

gswsshit.txt


#######################################################################

                             Luigi Auriemma

Application:  Georgia SoftWorks SSH2 Server (GSW_SSHD)
              http://www.georgiasoftworks.com/prod_ssh2/ssh2_server.htm
Versions:     <= 7.01.0003
Platforms:    Windows
Bugs:         A] format string in the log function
              B] buffer-overflow in the log function
              C] buffer-overflow in the handling of the password
Exploitation: remote
Date:         02 Jan 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


GSW_SSHD is a well known commercial SSH server which acts as SSH tunnel
for the telnet server GS_Tnet.exe.


#######################################################################

=======
2) Bugs
=======

------------------------------------
A] format string in the log function
------------------------------------

The logging function used by the server is affected by a format string
vulnerability caused by the usage of vsprintf for building the first
message (like "LoginPassword(%s(%s)[%u])") and the usage of another
vsprintf for building the final log entry.
The bug can be exploitable through the username field.


--------------------------------------
B] buffer-overflow in the log function
--------------------------------------

A buffer-overflow vulnerability is located in the same logging
function.
It's enough to use an username longer than 10000 chars to exploit the
vulnerability.


--------------------------------------------------
C] buffer-overflow in the handling of the password
--------------------------------------------------

The server is affected also by another buffer-overflow this time
located in the instructions which handle the password supplied by the
client exploitable through a string longer than 800 chars.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/gswsshit.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

gswsshit.txt

gswsshit.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

gswsshit.txt

Share This

gswsshit.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems