Multiple Remote Buffer Overflow in Avirt Soho 4.3

From: Donato Ferrante (fdonato_at_autistici.org)
Date: 02/23/04

  • Next message: Steve Kemp: "Re: lbreakout2 < 2.4beta-2 local exploit" 
    Date: Mon, 23 Feb 2004 09:08:51 -0000
To: <bugtraq@securityfocus.com>

                               Donato Ferrante

    Application: Avirt Soho
                  http://www.avirt.com/

    Version: 4.3

    Bugs: Multiple Remote Buffer Overflow

    Author: Donato Ferrante
                  e-mail: fdonato@autistici.org
                  web: www.autistici.org/fdonato

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    1. Description
    2. The bugs
    3. The code
    4. The fix

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ----------------
    1. Description:
    ----------------

    Vendor's Description:

    "Developed for the home or small office, Soho installs in minutes!
    Its intuitive wizards and simple interface automate the setup process
    and make maintenance a snap. Don't worry if you're new to networking
    or Internet sharing - Avirt Soho does all the work!"

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    -------------
    2. The bugs:
    -------------

    The program doesn't well manage the received strings on the TCP ports:
    [1] 1080 and [2] 8080. In fact it will have a buffer overflow.

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    -------------
    3. The code:
    -------------

    [1]

    To test the vulnerability simply send to the server ( port 1080 ) a
    string like:

    GET aaaa[ 1113 of a ]aaaa

    [2]

    To test the vulnerability on the web service send to the server
    ( port 8080 ) a string like:

    GET %%%%[ 2061 of % ]%%%% HTTP/1.1

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    ------------
    4. The fix:
    ------------

    Vendor was contacted.
    Bugs will be fixed in the next version of Avirt Soho.

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  • Next message: Steve Kemp: "Re: lbreakout2 < 2.4beta-2 local exploit"