Full Disclosure: GoodTech Telnet Server Buffer Overflow Vulnerability

[Komrade <unsecure () altervista org>]

AUTHOR
Komrade
unsecure () altervista org

Original advisory:
http://unsecure.altervista.org/security/goodtechtelnet.htm

DATE
15/03/2005

PRODUCT
The product turns a Windows NT/2000/XP/2003 system into a multi-user
Telnet server. Gives Telnet users full access to Windows NT command
line. (informations from the website http://www.goodtechsys.com)
Administration commands can be performed via a web browser. This feature
gives you a Graphic interface to administrate the Telnet Server product.
(informations from readme.htm file)


AFFECTED VERSION
All verion prior to 5.0.7 (version fixed by the vendor)

Versions verified to be vulnerable:
5.0
4.0

DETAILS
This program has a vulnerabilty in the administration web server, which
runs on the default port 2380. If a very long string (10040 bytes) ended
by two newline characters is sent to this server, a buffer overflow
vulnerability occurs, overwriting the instruction pointer and giving the
possibility to execute arbitrary code remotely in the LOCAL_SYSTEM context.

POC EXPLOIT
You can find a proof of concept exploit that crashes the vulnerable
servers on:
http://unsecure.altervista.org/security/gtscrash.c.txt

VENDOR STATUS
I notified this vulnerability to the vendor on 14/03/2005 and they fixed
it in the new version 5.0.7
See http://www.goodtechsys.com to download the new fixed version.

VULNERABILITY TIMELINE
11/03/2005 Vulnerability found.
14/03/2005 Vendor contacted.
15/03/2005 Vendor reply.
15/03/2005 Vulnerability fixed. A new version of GoodTech Telnet Server
is now avaible.

--
- Unsecure Programs -
- http://unsecure.altervista.org -





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/