Avirt Proxy Buffer Overflow Vulnerabilities

[Strumpf Noir Society <vuln-dev () labs secureance com>]

Strumpf Noir Society Advisories
! Public release !
<--#


-= Avirt Proxy Buffer Overflow Vulnerabilities =-

Release date: Thursday, January 17, 2002


Introduction:

The Utah, USA-based company Avirt specializes in the development
of (inter-)networking and sharing technologies. As such, it
maintains the SOHO and Gateway proxy product lines.

These products can be found at vendor Avirt's web site:
http://www.avirt.com


Problem:

The products from above mentioned families are all vulnerable to
a buffer overflow condition, which can be exploited to execute
arbitrary code on the systems in question.

The problem appears to be due to incorrect bounds checking in regards to
the header fields for the standard HTTP proxy (port 8080 by default). If
these headers exceed the 2319 bytes in size, the corresponding buffer
will overflow.

Besides allowing for a DoS attack against a vulnerable system this
could be exploited to execute arbitrary code on the host, EIP IS
overwritten. These Avirt products run as a NT system service by 
default.


(..)


Solution:

Vendor has been notified. After trying to confirm receipt of our initial
e-mail to them, we received a message with in the subject line "SPAM?",
which stated the following:

"As of right now, we will add the problem to our bug list which will be
consulted when any upgrades are made."

This was tested on a Win2k configuration with the following Avirt
products:

Avirt SOHO v4.2
Avirt Gateway v4.2
Avirt Gateway Suite v4.2

Earlier versions could be vulnerable as well.


yadayadayada

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!