####################################################################### Luigi Auriemma Application: GO-Global for Windows http://www.graphon.com/products/GO-GlobalforWindows.shtml Versions: <= 3.1.0.3270 Platforms: Server: Windows Clients: Windows, Solaris, HP-UX, IBM AIX and Linux Java version not vulnerable Bug: buffer-overflow Exploitation: remote, versus server and client Date: 02 Nov 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== GO-Global for Windows is a server-based thin-client solution. It allows users to run 32-bit Windows applications remotely from a server, the application runs entirely on the server but is displayed on the client. ####################################################################### ====== 2) Bug ====== After the initial handshake where is specified the type of encryption to use (_USERSA_), the application uses 16 bit fields for specifying the length of the subsequent data blocks. Both the client and the server use a small buffer which leads to a buffer-overflow if an attacker uses a data block longer than its size. Both server and clients are vulnerables. ####################################################################### =========== 3) The Code =========== For testing the "GO-Global for Windows" server: http://aluigi.org/poc/ggwbof.zip For testing the "GO-Global for Windows" clients: http://aluigi.org/poc/ggwbofc.zip ####################################################################### ====== 4) Fix ====== Version 3.1.0.3281 #######################################################################