Search This Blog

Thursday, January 03, 2008

[NT] Georgia SoftWorks SSH2 Server Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Georgia SoftWorks SSH2 Server Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://www.georgiasoftworks.com/prod_ssh2/ssh2_server.htm> GSW_SSHD is
"a well known commercial SSH server which acts as SSH tunnel for the
telnet server GS_Tnet.exe". Multiple vulnerabilities have been discovered
in GSW_SSHD, these vulnerabilities allows remote attackers to overflow
internal buffers found in the product as well as initiate a format string
attack against it.

DETAILS

Vulnerable Systems:
* Georgia SoftWorks SSH2 Server (GSW_SSHD) version 7.01.0003 and prior

Format string in the log function
The logging function used by the server is affected by a format string
vulnerability caused by the usage of vsprintf for building the first
message (like "LoginPassword(%s(%s)[%u])") and the usage of another
vsprintf for building the final log entry. The bug can be exploitable
through the username field.

Buffer overflow in the log function
A buffer-overflow vulnerability is located in the same logging function.
It's enough to use an username longer than 10000 chars to exploit the
vulnerability.

Buffer overflow in the handling of the password
The server is affected also by another buffer-overflow this time located
in the instructions which handle the password supplied by the client
exploitable through a string longer than 800 chars.

Exploit:
/*

by Luigi Auriemma - http://aluigi.org/poc/gswsshit.zip

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <time.h>
#include <libssh2.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>

#define ONESEC 1

No comments: