[20023] in bugtraq
Re: def-2001-17: Navision Financials Server DoS
daemon@ATHENA.MIT.EDU (David Hayes)
Wed Apr 4 07:04:20 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Message-ID: <Pine.LNX.4.33.0104032113370.19238-100000@blkdia>
Date: Tue, 3 Apr 2001 21:51:04 -0600
Reply-To: David Hayes <david@BDEL.COM>
From: David Hayes <david@BDEL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <047e01c0bbfd$4a22d290$71002d0a@dk.defcomsec.com>
Content-Transfer-Encoding: 8bit
On Tue, 3 Apr 2001, Peter Gründl wrote:
>---------------------------=[Workaround]=-----------------------------
>Disallow access to TCP port 2407 from untrusted systems, and contact
>Navision-Damgaard Support to obtain the patch for this problem:
Another reason to limit access to port 2407 on your Navision servers:
the server limits connections to however many licensed sessions you own,
and a connection with no username/password counts against this limit.
Thus, a simple DoS involves merely firing up the Navision Financials
client numerous times, and doing FILE -> SERVER -> CONNECT ->
YourNavisionServer on each client instance. (Or, if your shortcut
specifies the name of the server in it, you merely have to accidentally
fire off this shortcut several times. This is what my users often do.)
This will quickly run you out licenses, and legitimate users will be
locked out with a 'no licenses available' message.
This DoS works (far too regularly... :-) on version 2.0 of the AIX
version of Navision Financials. This version is sorta old, and I don't
know if newer versions behave the same. And I don't have access to an
NT/2000 version, so I can't see what it does in this situation.
--david
