Home -
Security -
Utility -
Notepad -
Contact us
AUTHOR
Komrade
unsecure@altervista.org
DATE
15/03/2005
PRODUCT
The product turns a Windows NT/2000/XP/2003 system into a multi-user Telnet server. Gives Telnet users full access to Windows NT command line. (informations from the website http://www.goodtechsys.com)
Administration commands can be performed via a web browser. This feature gives you a Graphic interface to administrate the Telnet Server product. (information from readme.htm file)
AFFECTED VERSION
All verion prior to 5.0.7 (version fixed by the vendor)
Versions verified to be vulnerable:
5.0
4.0
DETAILS
This program has a vulnerabilty in the administration web server, which runs on the default port 2380. If a very long string (10040 bytes) ended by two newline characters
is sent to this server, a buffer overflow vulnerability occurs, overwriting the instruction pointer and giving the possibility to execute arbitrary code remotely in the LOCAL_SYSTEM context.
POC EXPLOIT
You can find a proof of concept exploit that crashes the vulnerable servers on:
http://unsecure.altervista.org/security/gtscrash.c.txt
Exploit created by Cybertonic:
http://unsecure.altervista.org/security/cybertronic.c.txt
VENDOR STATUS
I notified this vulnerability to the vendor on 14/03/2005 and they fixed it in the new version 5.0.7
See http://www.goodtechsys.com to download the new fixed verion.
VULNERABILITY TIMELINE
11/03/2005 Vulnerability found.
14/03/2005 Vendor contacted.
15/03/2005 Vendor reply.
15/03/2005 Vulnerability fixed. A new version of GoodTech Telnet Server is now avaible.