Multiple exploits Remote DOS Brainware 2000.11

[Justin Hull <anon30818 () ZOTLINE COM>]

*** Warning: the following document contains malware. Read with care. ***

Multiple Denial-Of-Service (DOS) attacks are possible against users of Brainware
2000.11.


At Risk:

1. Users of all computing platforms except Linux.

2. People who have never used a computer.

Communication software must be installed and enabled for the attack to succeed.


Example Exploits:


Victim prompt: Paper or Plastic?

DOS response: Any string not beginning with the letter "P" (upper or lower
case).


Victim prompt: You saved 41 cents.

DOS response: Compared to what?




This class of DOS is not limited to shopping cart applications. For example:


Victim prompt: Are you voting Republican or Democrat?

DOS response: Neither.


Victim prompt: What do you think the government should do about health care?

DOS response: I think government should help you fight criminals, not colds.



Other scenarios exist, but they will not be disclosed at this time to give the
luser community a chance to prepare.



Severity: Medium. Workarounds exist. No patch available at this time.

There are no reports of these attacks causing a fatal or unrecoverable error. In
many cases the victim will simply hang for several seconds and/or self-reboot.
The victim may then repeat the prompt, enabling another DOS. In less common
cases the DOS will simply be ignored. There are some indications that
Brainware's response to the DOS attempt may vary depending on how long ago the
software was first installed.

Some would argue that the DOS cannot really be remotely initiated because it
requires the victim's cooperation to emit the prompt string prior to the attack.
However, various well-known social engineering techniques can usually place the
intended victim into a pre-vulnerability state from which the prompt string
shortly follows.


Patch:

Several patches have been attempted, however, they are usually rejected by
Brainware's built-in defenses.


Workaround:

Potential victims should filter OUTGOING packets containing prompt strings that
signal the victim is in a vulnerable state, and/or avoid the situations that
commonly lead up to the DOS.

Attempting to filter the INBOUND packets containing DOS strings is not
recommended for the following reasons:

* Effective filtering would require a stateful awareness because the content of
the DOS packets may be legitimate under other circumstances.

* The processing overhead for the filtering and state analysis must be performed
by the potential victim. No known suitable firewalls are presently available on
the market.

* Targeted victims may not have sufficient stateful awareness capacity or
available processor cycles to devote to the required filtering.

* If the finger/ear protocol is implemented by the victim, all communication is
hindered which is in itself another type of DOS.


Vendor notification:

Although Brainware 2000.10 has no obvious copyright message (in fact it copies
itself aggressively, much like a virus) many members of the user community
believe they have identified the vendor. However, multiple prayers emailed to
god () heaven org went unanswered. If the vendor monitors Vuln-Dev, a current email
address would be appreciated, as I'm sure many of us would be happy to work
directly with the vendor on issues like this in the future.


Credits:

I would like to claim credit for being the first to formally report what may
turn out to be a whole new class of security vulnerabilities. However I am sure
others can immediately think of several additional DOS strings. Perhaps we
should collect these in a database somewhere.

I also discovered Cross Site Scripting, brute-force password cracking, and the
Good Times virus, but certain nondisclosure agreements and/or fear of
prosecution prevented me from reporting them.


Disclaimer:

This information is intended to alert the community so users can take
appropriate protective measures. Georgi Guninski is not liable for any abuse of
this information, and for that matter, neither is anyone else.