Avirt Gateway Suite Remote SYSTEM Level Compromise

[Strumpf Noir Society <vuln-dev () labs secureance com>]

Strumpf Noir Society Advisories
! Public release !
<--#


-= Avirt Gateway Suite Remote SYSTEM Level Compromise =-

Release date: Thursday, January 17, 2002


Introduction:

Avirt Gateway Suite combines the features of the Avirt Gateway 
internet sharing technology with the functionality of the Avirt 
Mail server in one integrated package for the enterprise.

The Gateway Suite can be found at vendor Avirt's web site:
http://www.avirt.com


Problem:

The Avirt Gateway technology integrated in the Gateway Suite contains,
amongst others, a telnet proxy. Due to an error in the implementation of
this proxy inside the Gateway Suite however, the system on which it is
installed will be effectively turned into an insecure telnet server.

To exploit this flaw, an attacker would only have to telnet to the
telnet proxy (running on port 23 by default installation) and could then
browse the system's file structure using the 'dir' and/or 'ls' commands.
Typing 'dos' after connecting to the target machine would drop the
attacker in a dos prompt. No authentication is required except for
using an ip-address which is in one of the proxy's allowed ranges.

The Gateway Suite runs as a NT system service by default.


(..)


Solution:

Vendor has been notified. After trying to confirm receipt of our initial
e-mail to them, we received a message with in the subject line "SPAM?",
which stated the following:

"As of right now, we will add the problem to our bug list which will be
consulted when any upgrades are made."

This was tested on a Win2k configuration running the Avirt Gateway 
Suite v4.2. The Avirt Gateway (also v4.2) product itself is not vulnerable
to this problem.


yadayadayada

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!