Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Dave Ahmad (dasecurityfocus.com)
Date: Wed Jun 26 2002 - 16:15:48 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Dave Ahmad

    ---------- Forwarded message ----------
    Return-Path: <labsfoundstone.com>
    Delivered-To: dasecurityfocus.com
    Received: (qmail 7641 invoked from network); 26 Jun 2002 21:07:49 -0000
    Received: from unknown (HELO mission.foundstone.com) (
      by mail.securityfocus.com with SMTP; 26 Jun 2002 21:07:49 -0000
    X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3
    content-class: urn:content-classes:message
    MIME-Version: 1.0
    Content-Type: text/plain;
    Content-Transfer-Encoding: quoted-printable
    Subject: Foundstone Advisory - Buffer Overflow in AnalogX SimpleServer:Shout
    Date: Wed, 26 Jun 2002 14:12:35 -0700
    Message-ID: <9DC8A3D37E31E043BD516142594BDDFAC47556MISSION.foundstone.com>
    Thread-Topic: Foundstone Advisory - Buffer Overflow in AnalogX
    Thread-Index: AcIcmwywcmq21NfgTGGmQti1qTYfMAAux8jA
    From: "Foundstone Labs" <labsfoundstone.com>
    To: <dasecurityfocus.com>

    FS Advisory ID: FS-062502-22-AXSH

    Release Date: June 25, 2002

    Product: AnalogX SimpleServer:Shout

    Vendor: AnalogX (http://www.analogx.com)

    Vendor Advisory: See vendor web site

    Type: Buffer Overflow

    Severity: High

    Author: Robin Keir (robin.keirfoundstone.com)
                                    Foundstone, Inc.

    Operating Systems: Windows variants

    Vulnerable versions: SimpleServer:Shout v1.0

    Foundstone Advisory: http://www.foundstone.com/advisories.htm


    A buffer overflow exists in AnalogX's SimpleServer:Shout software.
    Exploitation of this vulnerability allows remote execution of arbitrary
    code with the privileges of the Shout daemon (default is SYSTEM).


    Sending a fake request to the target system on TCP port 8001 consisting
    of a packet of 348 or more non-space characters followed by 2 carriage
    return linefeeds causes a write access violation in the application.
    Manually dismissing the application error message box that is displayed
    on the affected system at this point will terminate the process. If the
    message box is not manually dismissed,, repeated sending of the request
    causes repeated access violation message boxes to appear on the affected
    system to the point where the service no longer responds.

    Different number of bytes sent cause different error conditions to
    occur, such as write access violations and Watcom memory error dialogs
    to appear.


    Refer to the vendor's web site for further details:


    Foundstone would like to thank AnalogX for their prompt response and
    handling of this problem.


    The information contained in this advisory is copyright (c) 2002
    Foundstone, Inc. and is believed to be accurate at the time of
    publishing, but no representation of any warranty is given, express, or
    implied as to its accuracy or completeness. In no event shall the author
    or Foundstone be liable for any direct, indirect, incidental, special,
    exemplary or consequential damages resulting from the use or misuse of
    this information. This advisory may be redistributed, provided that no
    fee is assigned and that the advisory is not modified in any way.