Strumpf Noir Society Advisories ! Public release ! <--# -= Avirt Gateway Suite Remote SYSTEM Level Compromise =- Release date: Thursday, January 17, 2002 Introduction: Avirt Gateway Suite combines the features of the Avirt Gateway internet sharing technology with the functionality of the Avirt Mail server in one integrated package for the enterprise. The Gateway Suite can be found at vendor Avirt's web site: http://www.avirt.com Problem: The Avirt Gateway technology integrated in the Gateway Suite contains, amongst others, a telnet proxy. Due to an error in the implementation of this proxy inside the Gateway Suite however, the system on which it is installed will be effectively turned into an insecure telnet server. To exploit this flaw, an attacker would only have to telnet to the telnet proxy (running on port 23 by default installation) and could then browse the system's file structure using the 'dir' and/or 'ls' commands. Typing 'dos' after connecting to the target machine would drop the attacker in a dos prompt. No authentication is required except for using an ip-address which is in one of the proxy's allowed ranges. The Gateway Suite runs as a NT system service by default. (..) Solution: Vendor has been notified. After trying to confirm receipt of our initial e-mail to them, we received a message with in the subject line "SPAM?", which stated the following: "As of right now, we will add the problem to our bug list which will be consulted when any upgrades are made." This was tested on a Win2k configuration running the Avirt Gateway Suite v4.2. The Avirt Gateway (also v4.2) product itself is not vulnerable to this problem. yadayadayada SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!
