[NT] BlueCoat WinProxy Multiple DoS and Buffer Overflow



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



BlueCoat WinProxy Multiple DoS and Buffer Overflow
------------------------------------------------------------------------


SUMMARY

<http://www.winproxy.com/> BlueCoat WinProxy is "an Internet sharing
proxy server". Improper handling of long requests within BlueCoat WinProxy
allows attackers to cause the program to no longer answer legitimate
request and execute arbitrary code.

DETAILS

Vulnerable Systems:
* WinProxy version 6.0 and prior

Immune Systems:
* WinProxy version 6.1a

HTTP Remote DoS:
The vulnerability specifically exists due to improper handling of a long
HTTP request that is approximately 32,768 bytes long. When such a request
occurs, the process will crash while attempting to read past the end of a
memory region.

Successful exploitation requires an attacker to send a specially
constructed HTTP request to the WinProxy server on TCP port 80. This will
lead to a crash of the server and it will be unusable until it is
restarted.

This vulnerability may only be utilized by attackers who have access to
the network segment that contains the listening daemon, which in some
cases is a private local area network. Remote exploitation of a design
error in Blue Coat WinProxy allow attackers to cause a DoS condition.

Host Header Buffer Overflow:
The vulnerability can be triggered by sending an overly long Host string
to the web proxy service.
Remote exploitation of a buffer overflow vulnerability in Blue Coat
WinProxy allow remote execution of arbitrary code by attackers.

Exploitation of this vulnerability is trivial. An overly long header
directly overwrites the SEH handler for the frame allowing for control
over EIP.

Telnet DoS:
The vulnerability can be triggered by sending a large string of 0xFF
characters to the telnet proxy port of the server. Sending such a string
will cause a heap corruption in the Winproxy process causing it to crash.

Successful exploitation requires an attacker to send a stream of TCP
packets containing the 0xFF character to the WinProxy telnet server on TCP
port 23. This will lead to a crash of the server and it will be unusable
until it is restarted.

In lab tests, the heap corruption caused by this exploit led to cashes in
random locations in the process. The possibility for remote code execution
is possible, however will likely be very hard to control and maintain
reliable code execution.

Remote exploitation of a design error in Blue Coat WinProxy allow
attackers to cause a denial of service (DoS) condition.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3654>
CAN-2005-3654
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-4085>
CAN-2005-4085
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3187>
CAN-2005-3187

Disclosure Timeline:
12/07/2005 Initial vendor notification about buffer overflow
12/08/2005 Initial vendor response about buffer overflow
11/15/2005 Initial vendor notification about Telnet DoS
11/15/2005 Initial vendor response about Telnet DoS
10/12/2005 Initial vendor notification about HTTP Remote DoS
10/12/2005 Initial vendor response about HTTP Remote DoS
01/05/2006 Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by
<mailto:idlabs-advisories@xxxxxxxxxxxxxxxxxx> iDEFENSE Labs .
The original article can be found at:
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=363>
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=363,
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364>
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364,
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=365>
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=365



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Blue Coat Systems WinProxy CONNECT Method Heap Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Blue Coat Systems WinProxy CONNECT Method Heap Overflow Vulnerability ... The vulnerability can be triggered by sending an overly long HTTP CONNECT ...
    (Securiteam)
  • [NT] Firefox Remote Code Execution and DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Firefox Remote Code Execution and DoS ... Following link lead to page containing malicious DoS code. ...
    (Securiteam)
  • [EXPL] Internet Explorer input DoS (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Internet Explorer input DoS ... Improper handling of input field allows attackers to DoS Microsoft ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [NEWS] Senao SI-7800H VoIP Wireless Phone Information Disclosure and DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Senao SI-7800H VoIP Wireless Phone Information Disclosure and DoS ... An undocumented port and service in Senao SI-7800H allows attackers to ... This open port may allow an attacker unauthenticated access to the phone's ...
    (Securiteam)
  • [EXPL] FileZilla DoS Exploit (Long USER)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... FileZilla DoS Exploit ... A buffer overflow with FileZilla server allow attackers to cause a DoS on ...
    (Securiteam)