Director31ad.html

Director31ad.html: Posted Apr 5, 2004; Authored by Juanma Merino | Site t3k.ibernet.com; IBM Director 3.1 Agent for Windows is vulnerable to a remote denial of service attack when being scanned.; tags | advisory, remote, denial of service; systems | windows; SHA-256 | 11c8a7a8d97e1b7c71871fe52805b379be6151773027ff19753134ed8fd5d859; Download | Favorite | View

Director31ad.html

<html>

<head>
<meta http-equiv="Content-Language" content="es">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Juanma Merino®</title>
</head>

<body>

<p><font face="Arial">Security Advisory by Juanma Merino</font></p>
<p><font face="Arial"><u><b>Remote DoS on&nbsp;</b> <b>IBM Director 3.1 Agent
for Windows</b></u></font></p>
<p><font face="Arial"><b>Reported to esCERT UPC on:</b> May 2003 (no response)</font></p>
<p><font face="Arial"><b>Vendor contacted on:</b> March 1, 2004 (no response)</font></p>
<p><font face="Arial"><b>Vendor:</b> IBM (www.ibm.com)&nbsp;</font></p>
<p><font face="Arial"><b>Systems Affected:</b></font></p>
<p><font face="Arial">IBM Director 3.1 Agent for Windows</font></p>
<p>&nbsp;&nbsp;&nbsp;<font face="Arial"> - Windows 2000 professional SP3, SP4</font></p>
<p>&nbsp;&nbsp;&nbsp;<font face="Arial"> - Windows NT4 SP6a</font></p>
<p>&nbsp;&nbsp;&nbsp;<font face="Arial"> - Other Windows flavours not tested but
probably affected too.</font></p>
<p><font face="Arial"><b>Description:</b></font></p>
<p><font face="Arial">When running Amap (www.thc.org) in order to discover what
protocol is running on TCP port 14247, IBM Director Agent for Windows crashes.</font></p>
<p><font face="Arial">TCP port 14247 is owned by twgipc.exe. Fport shows this:</font></p>
<p><font face="Arial">"twgipc         ->  14247 TCP %ProgramFiles%\UMS\Director\bin\twgipc.exe"&nbsp;</font></p>
<p><font face="Arial">Amap in this case looks like this:</font></p>
<p>root@localhost root]# amap -sT xxx.x.224.48 14247&nbsp;<br>
Amap v2.1 started at Mon May 26 16:23:34 2003, stand back and keep children away&nbsp;<br>
Couldn't connect to tcp port 14247 on 100.1.224.48. Service crashed after scanning?&nbsp;<br>
Unidentified ports: 14247:tcp (total 1).&nbsp;<br>
Amap v2.1 ended at Mon May 26 16:24:20 2003&nbsp;</p>
<p><font face="Arial">(linux box has a wrong time)</font></p>
<p><font face="Arial">This action generates two system events (sorry, they are
in Spanish):</font></p>
<p>*************************************&nbsp;<br>
Tipo de suceso:        Error&nbsp;<br>
Origen del suceso:        TWGIPC&nbsp;<br>
Categoría del suceso:        Ninguno&nbsp;<br>
Id. del suceso:        0&nbsp;<br>
Fecha:                23/05/2003&nbsp;<br>
Hora:                14:44:08&nbsp;<br>
Usuario:                No disponible&nbsp;<br>
Equipo:        XXXXX&nbsp;<br>
Descripción:&nbsp;<br>
No se encuentra la descripción del Id. de suceso ( 0 ) en el origen ( TWGIPC ). Es posible que el equipo local no tenga la información de Registro o archivos DLL de mensajes necesarios para mostrar mensajes desde un equipo remoto. La siguiente información es par Error TWGIPC: 6; SetServiceStatus(dwCurrentState=1, dwWin32ExitCode=0, dwCheckPoint=0).&nbsp;<br>
*************************************&nbsp;<br>
Tipo de suceso:        Información&nbsp;<br>
Origen del suceso:        Application Popup&nbsp;<br>
Categoría del suceso:        Ninguno&nbsp;<br>
Id. del suceso:        26&nbsp;<br>
Fecha:                26/05/2003&nbsp;<br>
Hora:                16:23:19&nbsp;<br>
Usuario:                No disponible&nbsp;<br>
Equipo:        XXXXX&nbsp;<br>
Descripción:&nbsp;<br>
Aplicación emergente: TCPIP: twgipc.exe - Error de aplicación : La instrucción en "0x5dc674eb" hace referencia a la memoria en "0x01060000". La memoria no se puede "written".&nbsp;<br>
<br>
Haga clic en Aceptar para finalizar este programa&nbsp;<br>
Haga clic en CANCELAR para depurar el programa&nbsp;<br>
************************************** </p>
<p><font face="Arial">After the service crash restart UMS service is needed in
order to keep the agent running again.</font></p>
<p><font face="Arial"><b>Solution:</b> I don't know any solution.</font></p>
<p><font face="Arial"><b>Note:</b> I have no answer from IBM. I don't know if
they've send my email to the trash or if they are working on it. So I've decided
to post the vulnerability. If someone with greater skills wants to take a look
contact me so I have more information regarding this vulnerability.</font></p>
<p><font face="Arial"><b>E-mail:</b> jmmerino[at]jazzfree.com</font></p>
<p>----------------------------------------------------------------<br>
<font face="Arial">Juanma Merino<br>
<a href="http://t3k.ibernet.com">http://t3k.ibernet.com</a> <br>
-----------------------------------------------------------------------------</font></p>
<p>&nbsp;</p>
<p>&nbsp;</p>

</body>

</html>

Top Authors In Last 30 Days

Red Hat 205 files
Ubuntu 84 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Google Security Research 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

Director31ad.html

Director31ad.html

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Director31ad.html

Share This

Director31ad.html

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems