Multiple vulnerabilities in Georgia SoftWorks SSH2 Server 7.01.0003

2008-01-03T00:00:00
ID SECURITYVULNS:DOC:18787
Type securityvulns
Reporter Securityvulns
Modified 2008-01-03T00:00:00

Description

                         Luigi Auriemma

Application: Georgia SoftWorks SSH2 Server (GSW_SSHD) http://www.georgiasoftworks.com/prod_ssh2/ssh2_server.htm Versions: <= 7.01.0003 Platforms: Windows Bugs: A] format string in the log function B] buffer-overflow in the log function C] buffer-overflow in the handling of the password Exploitation: remote Date: 02 Jan 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org

1) Introduction 2) Bugs 3) The Code 4) Fix

=============== 1) Introduction ===============

GSW_SSHD is a well known commercial SSH server which acts as SSH tunnel for the telnet server GS_Tnet.exe.

======= 2) Bugs =======


A] format string in the log function

The logging function used by the server is affected by a format string vulnerability caused by the usage of vsprintf for building the first message (like "LoginPassword(%s(%s)[%u])") and the usage of another vsprintf for building the final log entry. The bug can be exploitable through the username field.


B] buffer-overflow in the log function

A buffer-overflow vulnerability is located in the same logging function. It's enough to use an username longer than 10000 chars to exploit the vulnerability.


C] buffer-overflow in the handling of the password

The server is affected also by another buffer-overflow this time located in the instructions which handle the password supplied by the client exploitable through a string longer than 800 chars.

=========== 3) The Code ===========

http://aluigi.org/poc/gswsshit.zip

====== 4) Fix ======

No fix


Luigi Auriemma http://aluigi.org