Strumpf Noir Society Advisories ! Public release ! <--# -= Avirt Proxy Buffer Overflow Vulnerabilities =- Release date: Thursday, January 17, 2002 Introduction: The Utah, USA-based company Avirt specializes in the development of (inter-)networking and sharing technologies. As such, it maintains the SOHO and Gateway proxy product lines. These products can be found at vendor Avirt's web site: http://www.avirt.com Problem: The products from above mentioned families are all vulnerable to a buffer overflow condition, which can be exploited to execute arbitrary code on the systems in question. The problem appears to be due to incorrect bounds checking in regards to the header fields for the standard HTTP proxy (port 8080 by default). If these headers exceed the 2319 bytes in size, the corresponding buffer will overflow. Besides allowing for a DoS attack against a vulnerable system this could be exploited to execute arbitrary code on the host, EIP IS overwritten. These Avirt products run as a NT system service by default. (..) Solution: Vendor has been notified. After trying to confirm receipt of our initial e-mail to them, we received a message with in the subject line "SPAM?", which stated the following: "As of right now, we will add the problem to our bug list which will be consulted when any upgrades are made." This was tested on a Win2k configuration with the following Avirt products: Avirt SOHO v4.2 Avirt Gateway v4.2 Avirt Gateway Suite v4.2 Earlier versions could be vulnerable as well. yadayadayada SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!
