Buffer-overflow in GO-Global for Windows 3.1.0.3270
#######################################################################
Luigi Auriemma
Application: GO-Global for Windows
http://www.graphon.com/products/GO-GlobalforWindows.shtml
Versions: <= 3.1.0.3270
Platforms: Server: Windows
Clients: Windows, Solaris, HP-UX, IBM AIX and Linux
Java version not vulnerable
Bug: buffer-overflow
Exploitation: remote, versus server and client
Date: 02 Nov 2005
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
GO-Global for Windows is a server-based thin-client solution.
It allows users to run 32-bit Windows applications remotely from a
server, the application runs entirely on the server but is displayed on
the client.
#######################################################################
======
2) Bug
======
After the initial handshake where is specified the type of encryption
to use (_USERSA_), the application uses 16 bit fields for specifying
the length of the subsequent data blocks.
Both the client and the server use a small buffer which leads to a
buffer-overflow if an attacker uses a data block longer than its size.
Both server and clients are vulnerables.
#######################################################################
===========
3) The Code
===========
For testing the "GO-Global for Windows" server:
http://aluigi.altervista.org/poc/ggwbof.zip
For testing the "GO-Global for Windows" clients:
http://aluigi.altervista.org/poc/ggwbofc.zip
#######################################################################
======
4) Fix
======
Version 3.1.0.3281
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org