Vulnerabilities > CVE-2005-3187 - Remote Denial Of Service vulnerability in Bluecoat Winproxy 6.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
bluecoat
nessus
exploit available
NVD
Published: 2005-12-31
Updated: 2011-03-08

Summary

The listening daemon in Blue Coat Systems Inc. WinProxy before 6.1a allows remote attackers to cause a denial of service (crash) via a long HTTP request that causes an out-of-bounds read.

Vulnerable Configurations

Part Description Count
Application
Bluecoat
1

Exploit-Db

descriptionBlueCoat WinProxy <= 6.0 R1c (GET Request) Denial of Service Exploit. CVE-2005-3187. Dos exploit for windows platform
idEDB-ID:1409
last seen2016-01-31
modified2006-01-07
published2006-01-07
reporterFistFuXXer
sourcehttps://www.exploit-db.com/download/1409/
titleBlueCoat WinProxy <= 6.0 R1c GET Request Denial of Service Exploit

Nessus

  • NASL familyFirewalls
    NASL idWINPROXY_61A.NASL
    descriptionThe remote host is running WinProxy, a proxy server for Windows. According to the Windows registry, the installed version of WinProxy suffers from denial of service and buffer overflow vulnerabilities in its telnet and web proxy servers. An attacker may be able to exploit these issues to crash the proxy or even execute arbitrary code on the affected host.
    last seen2020-06-01
    modified2020-06-02
    plugin id20393
    published2006-01-10
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20393
    titleWinProxy < 6.1a Multiple Vulnerabilities (credentialed check)
    code
    #
# (C) Tenable Network Security, Inc.
#



include("compat.inc");

if (description) {
  script_id(20393);
  script_version("1.14");

  script_cve_id("CVE-2005-3187", "CVE-2005-3654", "CVE-2005-4085");
  script_bugtraq_id(16147, 16148, 16149);

  script_name(english:"WinProxy < 6.1a Multiple Vulnerabilities (credentialed check)");
  script_summary(english:"Checks for multiple vulnerabilities in WinProxy < 6.1a");

 script_set_attribute(attribute:"synopsis", value:
"The remote proxy is affected by multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running WinProxy, a proxy server for Windows. 

According to the Windows registry, the installed version of WinProxy
suffers from denial of service and buffer overflow vulnerabilities in
its telnet and web proxy servers.  An attacker may be able to exploit
these issues to crash the proxy or even execute arbitrary code on the
affected host." );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?40f07cd6" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3a6c81a5" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?79b3006b" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8c88612f" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to WinProxy version 6.1a or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Blue Coat WinProxy Host Header Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/10");
 script_set_attribute(attribute:"patch_publication_date", value: "2006/01/05");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/01/05");
 script_cvs_date("Date: 2018/08/06 14:03:14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();

 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Firewalls");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


if (!get_kb_item("SMB/Registry/Enumerated")) exit(0);


# Look in the registry for evidence of WinProxy.
name = get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/WinProxy 6/DisplayName");
if (name && name =~ "^WinProxy \(Version ([0-5]\.|6\.0)") {
  security_hole(0);
  exit(0);
}
  • NASL familyFirewalls
    NASL idWINPROXY_HTTP_61A.NASL
    descriptionThe remote host is running WinProxy, a proxy server for Windows. The installed version of WinProxy
    last seen2020-06-01
    modified2020-06-02
    plugin id20391
    published2006-01-10
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20391
    titleWinProxy < 6.1a HTTP Proxy Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description) {
  script_id(20391);
  script_version("1.19");

  script_cve_id("CVE-2005-3187", "CVE-2005-4085");
  script_bugtraq_id(16147, 16148);

  script_name(english:"WinProxy < 6.1a HTTP Proxy Multiple Vulnerabilities");
  script_summary(english:"Checks for multiple vulnerabilities in WinProxy < 6.1a HTTP Proxy");

 script_set_attribute(attribute:"synopsis", value:
"The remote web proxy server is affected by denial of service and
buffer overflow vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The remote host is running WinProxy, a proxy server for Windows. 

The installed version of WinProxy's HTTP proxy fails to handle long
requests as well as requests with long Host headers.  An attacker may
be able to exploit these issues to crash the proxy or even execute
arbitrary code on the affected host." );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?40f07cd6" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3a6c81a5" );
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8c88612f" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to WinProxy version 6.1a or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Blue Coat WinProxy Host Header Overflow');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/10");
 script_set_attribute(attribute:"patch_publication_date", value: "2006/01/05");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/01/05");
 script_cvs_date("Date: 2018/08/06 14:03:14");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
  script_category(ACT_DENIAL);
  script_family(english:"Firewalls");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
  script_dependencies("find_service2.nasl", "httpver.nasl");
  script_require_ports("Services/www", 80);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80, dont_break: 1);


# Make sure it looks like WinProxy.
help = get_kb_banner(port: port, type: "help");
if (help && "Proxy-agent: BlueCoat-WinProxy" >< help) {
  # Flag it as a proxy.
  register_service(port:port, ipproto:"tcp", proto:"http_proxy");

  # Try to exploit it.
  rq = http_mk_proxy_request(port: 80, item: "/", host: "127.0.0.1", method: "GET", scheme: "http", version: 10, add_headers: make_array("Host", crap(32800)));

  w = http_send_recv_req(port: port, req: rq);
  # If we didn't get anything, try resending the query.
  w = http_send_recv3(port: port, item:"/", method:"GET");

  # There's a problem if we didn't get a response the second time.
    if (isnull(w)) security_hole(port);
}

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:63328
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-63328
    titleBlueCoat WinProxy <= 6.0 R1c (GET Request) Denial of Service Exploit
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:15813
    last seen2017-11-19
    modified2006-01-07
    published2006-01-07
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-15813
    titleBlueCoat WinProxy &lt;= 6.0 R1c (GET Request) Denial of Service Exploit

References