Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Avirt Proxy Buffer Overflow Vulnerabilities

Avirt Proxy Buffer Overflow Vulnerabilities

by Nikola Strahija on January 20th, 2002 The products from above mentioned families are all vulnerable to a buffer overflow condition, which can be exploited to execute arbitrary code on the systems in question. The problem appears to be due to incorrect bounds checking in regards to the header fields for the standard HTTP proxy (port 8080 by default).


Introduction:

The Utah, USA-based company Avirt specializes in the development
of (inter-)networking and sharing technologies. As such, it
maintains the SOHO and Gateway proxy product lines.

These products can be found at vendor Avirt's web site:
http://www.avirt.com


Problem:

The products from above mentioned families are all vulnerable to
a buffer overflow condition, which can be exploited to execute
arbitrary code on the systems in question.

The problem appears to be due to incorrect bounds checking in regards to
the header fields for the standard HTTP proxy (port 8080 by default). If
these headers exceed the 2319 bytes in size, the corresponding buffer
will overflow.

Besides allowing for a DoS attack against a vulnerable system this
could be exploited to execute arbitrary code on the host, EIP IS
overwritten. These Avirt products run as a NT system service by
default.


(..)


Solution:

Vendor has been notified. After trying to confirm receipt of our initial
e-mail to them, we received a message with in the subject line "SPAM?",
which stated the following:

"As of right now, we will add the problem to our bug list which will be
consulted when any upgrades are made."

This was tested on a Win2k configuration with the following Avirt
products:

Avirt SOHO v4.2
Avirt Gateway v4.2
Avirt Gateway Suite v4.2

Earlier versions could be vulnerable as well.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »