[resend] Avirt Gateway Telnet Vulnerability (and more?)

Type securityvulns
Reporter Securityvulns
Modified 2002-01-21T00:00:00


Strumpf Noir Society Advisories ! Public release ! <--#

-= Avirt Gateway Telnet Vulnerability (and more?) =-

Release date: Friday, January 18, 2002


The Utah, USA-based company Avirt specializes in the development of (inter-)networking and sharing technologies. As such, it maintains the SOHO and Gateway proxy product lines.

Recently, the SNS research team published two advisories in regards to these products, after which we were informed of at least one other buffer overflow vulnerability in Avirt's Gateway product line.

SNS research would like to thank mr R. Hassell for pointing this problem out to us.

These products can be found at vendor Avirt's web site: http://www.avirt.com


The Avirt Gateway technology contains, amongst others, a telnet proxy. Due to a failure to check for length of the input served to this proxy, a buffer overflow condition exists which could be exploited to execute arbitrary code on the target system.

To exploit this flaw an attacker would have to connect to the telnet proxy and at the "Ready>" prompt pass it a buffer of >2000 bytes. The service will die, EIP is overwritten.

All Avirt's Gateway products run as a NT system service by default.



Vendor has been notified at the time this message went out. We're sure the problem will be added to their "bug list which will be consulted when any upgrades are made."

This was tested on a Win2k configuration with both the Avirt Gateway v4.2 as well as the Avirt Gateway Suite v4.2.

Initially our advice for users would be to set tight trusted ip-ranges and disable the vulnerable services when possible. In light of this new problem however, we have to consider the possibility that boundary checking was not a priority during development of these products. Since fixing the problems when found doesn't seem to be one for this vendor either, our advice is to not use these services until the problems have been dealt with.


SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!