Application: Georgia SoftWorks SSH2 Server (GSW_SSHD) http://www.georgiasoftworks.com/prod_ssh2/ssh2_server.htm Versions: <= 7.01.0003 Platforms: Windows Bugs: A] format string in the log function B] buffer-overflow in the log function C] buffer-overflow in the handling of the password Exploitation: remote Date: 02 Jan 2008 Author: Luigi Auriemma e-mail: email@example.com web: aluigi.org
1) Introduction 2) Bugs 3) The Code 4) Fix
=============== 1) Introduction ===============
GSW_SSHD is a well known commercial SSH server which acts as SSH tunnel for the telnet server GS_Tnet.exe.
======= 2) Bugs =======
The logging function used by the server is affected by a format string vulnerability caused by the usage of vsprintf for building the first message (like "LoginPassword(%s(%s)[%u])") and the usage of another vsprintf for building the final log entry. The bug can be exploitable through the username field.
A buffer-overflow vulnerability is located in the same logging function. It's enough to use an username longer than 10000 chars to exploit the vulnerability.
The server is affected also by another buffer-overflow this time located in the instructions which handle the password supplied by the client exploitable through a string longer than 800 chars.
=========== 3) The Code ===========
====== 4) Fix ======
Luigi Auriemma http://aluigi.org