[9367] in bugtraq
NOBO denial of service
daemon@ATHENA.MIT.EDU (Andrew J. Gavin)
Fri Feb 5 05:17:25 1999
Date: Thu, 4 Feb 1999 16:52:00 -0500
Reply-To: "Andrew J. Gavin" <gavina@RIVER.IT.GVSU.EDU>
From: "Andrew J. Gavin" <gavina@RIVER.IT.GVSU.EDU>
To: BUGTRAQ@NETSPACE.ORG
As reported by i-kran@USA.NET approximately a week ago, nobo (a back
orifice scanning detector) has a buffer overflow problem that will crash
the program remotely. Sending a UDP packet (larger than 1024 bytes) will
give the error:
A network error has ocurred: Message too long (10040-92)
Sending 15 of these packets (the minimum required) will crash nobo (stack
fault in kernel32.dll), with NOTHING recorded to the log file or to the
screen.
I tested this against nobo 1.2 from both Windows 98 and linux, giving the
same results. Using 'assault' (included with the mIRC script "7th
sphere", I believe) in Windows, for example, I was able to send 15 UDP
packets at 1025 bytes in size, crashing my nobo. In linux, I was able to
crash my nobo by echoing a string 1025 characters in length, piping it
through nc (with the -u flag), and repeating 14 more times.
I'm sure some nice scripts could be written to do this to a class C
subnet. The only drawback to this is that it would be rather
bandwidth-intensive (15 x 1025 bytes x 255).
----------
gavina@river.it.gvsu.edu
k3nny or ChazeFroy on Efnet IRC
