#######################################################################
Luigi Auriemma
Application: Georgia SoftWorks SSH2 Server (GSW_SSHD)
http://www.georgiasoftworks.com/prod_ssh2/ssh2_server.htm
Versions: <= 7.01.0003
Platforms: Windows
Bugs: A] format string in the log function
B] buffer-overflow in the log function
C] buffer-overflow in the handling of the password
Exploitation: remote
Date: 02 Jan 2008
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
GSW_SSHD is a well known commercial SSH server which acts as SSH tunnel
for the telnet server GS_Tnet.exe.
#######################################################################
The logging function used by the server is affected by a format string
vulnerability caused by the usage of vsprintf for building the first
message (like "LoginPassword(%s(%s)[%u])") and the usage of another
vsprintf for building the final log entry.
The bug can be exploitable through the username field.
A buffer-overflow vulnerability is located in the same logging
function.
It's enough to use an username longer than 10000 chars to exploit the
vulnerability.
The server is affected also by another buffer-overflow this time
located in the instructions which handle the password supplied by the
client exploitable through a string longer than 800 chars.
#######################################################################
http://aluigi.org/poc/gswsshit.zip
#######################################################################
No fix
#######################################################################
Luigi Auriemma
http://aluigi.org