####################################################################### Luigi Auriemma Application: Pragma TelnetServer http://www.pragmasys.com/PragmaTelnetServer.asp Versions: <= 7.0 Build 4 Revision 589 Platforms: Windows Bug: Denial of Service Exploitation: remote Date: 02 Jan 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Pragma TelnetServer is a commercial telnet server for Windows. ####################################################################### ====== 2) Bug ====== The telnetd.exe process, which is started for each incoming connection, is affected by a NULL pointer vulnerability during the handling of the TELOPT PRAGMA LOGON telnet option (number 138). Although the termination of a single process doesn't affect the others, the access to the server can be denied through the termination of at least 75 of these processes, after that the server will be unreachable (all the current SSH connections established before the last exception will remain up). This bad effect will finish gradually when the admin click on the error messages but naturally the attacker can continue the attack keeping the server ever unreacheable. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/pragmatel.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################