|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Thomas Pollet (thomas.pollet
gmail.com)
Date: Mon Apr 30 2007 - 11:30:07 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
Aventail Connect registers a layered service provider to handle DNS queries.
When resolving a hostname the software fails to check string boundaries
properly.
As the lsp intercepts all ws2_32 dns lookups every application performing
these operations is vulnerable.
e.g.
$ ssh $(perl -e 'print "a"x2200')
Segmentation fault (core dumped)
vulnerable copy loop in asnsp.dll:
18B539F2 41 INC ECX
18B539F3 41 INC ECX
18B539F4 66:85D2 TEST DX,DX
18B539F7 74 0A JE SHORT asnsp.18B53A03
18B539F9 66:8B11 MOV DX,WORD PTR DS:[ECX]
18B539FC 66:8916 MOV WORD PTR DS:[ESI],DX
18B539FF 46 INC ESI
18B53A00 46 INC ESI
18B53A01 ^EB EF JMP SHORT asnsp.18B539F2
This was tested on version 4.1.2.13.
vendor: http://www.aventail.com/
Regards,
Thomas Pollet
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]