#######################################################################

                             Luigi Auriemma

Application:  Pragma TelnetServer
              http://www.pragmasys.com/PragmaTelnetServer.asp
Versions:     <= 7.0 Build 4 Revision 589
Platforms:    Windows
Bug:          Denial of Service
Exploitation: remote
Date:         02 Jan 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Pragma TelnetServer is a commercial telnet server for Windows.


#######################################################################

======
2) Bug
======


The telnetd.exe process, which is started for each incoming connection,
is affected by a NULL pointer vulnerability during the handling of the
TELOPT PRAGMA LOGON telnet option (number 138).

Although the termination of a single process doesn't affect the others,
the access to the server can be denied through the termination of at
least 75 of these processes, after that the server will be unreachable
(all the current SSH connections established before the last exception
will remain up).

This bad effect will finish gradually when the admin click on the error
messages but naturally the attacker can continue the attack keeping the
server ever unreacheable.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/pragmatel.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################