[23897] in bugtraq
Avirt Gateway Suite Remote SYSTEM Level Compromise
daemon@ATHENA.MIT.EDU (Strumpf Noir Society)
Thu Jan 17 20:28:49 2002
Date: Thu, 17 Jan 2002 20:21:08 +0100
From: Strumpf Noir Society <vuln-dev@labs.secureance.com>
Reply-To: Strumpf Noir Society <vuln-dev@labs.secureance.com>
Message-ID: <16152299502.20020117202108@labs.secureance.com>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Strumpf Noir Society Advisories
! Public release !
<--#
-= Avirt Gateway Suite Remote SYSTEM Level Compromise =-
Release date: Thursday, January 17, 2002
Introduction:
Avirt Gateway Suite combines the features of the Avirt Gateway
internet sharing technology with the functionality of the Avirt
Mail server in one integrated package for the enterprise.
The Gateway Suite can be found at vendor Avirt's web site:
http://www.avirt.com
Problem:
The Avirt Gateway technology integrated in the Gateway Suite contains,
amongst others, a telnet proxy. Due to an error in the implementation of
this proxy inside the Gateway Suite however, the system on which it is
installed will be effectively turned into an insecure telnet server.
To exploit this flaw, an attacker would only have to telnet to the
telnet proxy (running on port 23 by default installation) and could then
browse the system's file structure using the 'dir' and/or 'ls' commands.
Typing 'dos' after connecting to the target machine would drop the
attacker in a dos prompt. No authentication is required except for
using an ip-address which is in one of the proxy's allowed ranges.
The Gateway Suite runs as a NT system service by default.
(..)
Solution:
Vendor has been notified. After trying to confirm receipt of our initial
e-mail to them, we received a message with in the subject line "SPAM?",
which stated the following:
"As of right now, we will add the problem to our bug list which will be
consulted when any upgrades are made."
This was tested on a Win2k configuration running the Avirt Gateway
Suite v4.2. The Avirt Gateway (also v4.2) product itself is not vulnerable
to this problem.
yadayadayada
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
