Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] ERNW Security Advisory 01/2006

from [mozilla] Network Security [Permanent Link]
Subject: [VulnWatch] ERNW Security Advisory 01/2006
Date: Mon, 26 Jun 2006 15:15:29 +0200 
ERNW Security Advisory 01-2006

Buffer Overflow in Algorithmic Researchs PrivateWire Online Registration 
Facility

Author:
Michael Thumann <mthumann[at]ernw.de>
Homepage: http://www.ernw.de

1. Summary:
The Online Registration Facility  of Algorithmic Research PrivateWire VPN 
Software
doesn't do proper bounds checking handling normal GET requests.
Sending an overlong page or script name, it causes a buffer overflow and an 
attacker
can control the EIP to run arbitrary code on the victims machine.

2. Severity : Critical

3. Products affected
All Versions of the PrivateWire Gateway Software up to version 3.7

4. Patch Availability :
A patch is available from the vendor www.arx.com

5. Details
The follwoing request causes PrivateWire to crash:

GET /AAAAAA.....AAAA  with 8160 As

6. Solution
Contact the vendor and install the patch.

7. Time-Line 
19  Dec 2005: Vulnerability reported to vendor
21  Dec 2005: Telephone conference with vendor
04 Apr 2006: Patch available
26 June 2006: Public Disclosure

8. Disclaimer
The informations in this advisory are provided "AS IS" without warranty 
of any kind. In no event shall the authors be liable for any damages 
whatsoever including direct, indirect, incidental, consequential, 
loss of business profits or special damages due to the misuse of any 
information provided in this advisory.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] ERNW Security Advisory 01/2006, mozilla <=
Previous by Date:  [Full-disclosure] ERNW Security Advisory 01/2006, mozilla
Next by Date:  [VulnWatch] Cisco Security Advisory: Multiple Vulnerabilities in Wireless Control System, Cisco Systems Product Security Incident Response Team
Previous by Thread:  [Full-disclosure] ERNW Security Advisory 01/2006, mozilla
Next by Thread:  [VulnWatch] Cisco Security Advisory: Multiple Vulnerabilities in Wireless Control System, Cisco Systems Product Security Incident Response Team
Indexes:  [Date] [Thread] [Top] [All Lists]