GoodTech Telnet Server Buffer Overflow Vulnerability
AUTHOR
Komrade
unsecure@xxxxxxxxxxxxxx
Original advisory:
http://unsecure.altervista.org/security/goodtechtelnet.htm
DATE
15/03/2005
PRODUCT
The product turns a Windows NT/2000/XP/2003 system into a multi-user
Telnet server. Gives Telnet users full access to Windows NT command
line. (informations from the website http://www.goodtechsys.com)
Administration commands can be performed via a web browser. This feature
gives you a Graphic interface to administrate the Telnet Server product.
(informations from readme.htm file)
AFFECTED VERSION
All verion prior to 5.0.7 (version fixed by the vendor)
Versions verified to be vulnerable:
5.0
4.0
DETAILS
This program has a vulnerabilty in the administration web server, which
runs on the default port 2380. If a very long string (10040 bytes) ended
by two newline characters is sent to this server, a buffer overflow
vulnerability occurs, overwriting the instruction pointer and giving the
possibility to execute arbitrary code remotely in the LOCAL_SYSTEM context.
POC EXPLOIT
You can find a proof of concept exploit that crashes the vulnerable
servers on:
http://unsecure.altervista.org/security/gtscrash.c.txt
VENDOR STATUS
I notified this vulnerability to the vendor on 14/03/2005 and they fixed
it in the new version 5.0.7
See http://www.goodtechsys.com to download the new fixed version.
VULNERABILITY TIMELINE
11/03/2005 Vulnerability found.
14/03/2005 Vendor contacted.
15/03/2005 Vendor reply.
15/03/2005 Vulnerability fixed. A new version of GoodTech Telnet Server
is now avaible.
--
- Unsecure Programs -
- http://unsecure.altervista.org -