Firewall ToolKit x-gw Exectue Arbitrary Code

2000-10-26T00:00:00
ID OSVDB:3206
Type osvdb
Reporter OSVDB
Modified 2000-10-26T00:00:00

Description

Vulnerability Description

TIS Internet Firewall Toolkit (FWTK) contains a flaw that allows a remote attacker to execute arbitrary code on the vulnerable system. The flaw is due to the pmsg() function in the x-gw package. If an attacker supplied malicious code, the sanity checks the function performs will not report the error only, instead it reports the error along with the malicious code which it executes.

Solution Description

It is possible to correct the flaw by implementing the following workaround: disallow login from untrusted user/hosts. "pre" (original advisory) has released a patch to address this vulnerability.

Short Description

TIS Internet Firewall Toolkit (FWTK) contains a flaw that allows a remote attacker to execute arbitrary code on the vulnerable system. The flaw is due to the pmsg() function in the x-gw package. If an attacker supplied malicious code, the sanity checks the function performs will not report the error only, instead it reports the error along with the malicious code which it executes.

References:

Other Advisory URL: http://archives.neohapsis.com/archives/bugtraq/2000-10/0376.html Keyword: FWTK ISS X-Force ID: 5420 CVE-2000-0950 Bugtraq ID: 1857