SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Check B. O. Vendors:   Checkbo.com
The Check B. O. Scan Monitoring Utility Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1001376
SecurityTracker URL:  http://securitytracker.com/id/1001376
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 20 2001
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   A vulnerability has been reported in the Check B.O. monitoring utility that permits remote users to cause the application to crash.

Check B.O. is used to listen on selected trojan virus port numbers (e.g., 12345, 20034, ...) and alert the user when a scan is detected.

Check B.O. on Windows 9x platforms (not on NT or Windows 2000) can be crashed by remote users sending a "flooding" of >= 80000 characters to its TCP ports. This event will generate the following type of alert before shutting down the application:

Application Error
Exception ElInvalidOperation in module CHECKBO.EXE at 00026450.
Text exceeds memo capacity.

Some demonstration exploit commands:

1) perl -e ' for ($i=1;$i<80000;$i++) { print "A"; } ' | nc <host> <port>

2) nc <host> <port> 80Kbfile.txt

The author notes that CheckBO listens on the following TCP ports: 54320, 20034, 12345, 12346, 31337, 31666, 1243, 6713.

Impact:   A remote user can cause the product to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.checkbo.com/eng/index2.asp (Links to External Site)
Cause:   Resource error
Underlying OS:  Windows (95), Windows (98)

Message History:   None.


 Source Message Contents

Subject:  CheckBO Win9x memo overflow


Author:         Auriemma Luigi

PRODUCT:                CheckBO, www.checkbo.com
OPERATIVE SYSTEM:       ONLY Win9x

INTRODUCTION:
CheckBO is a program that go in listening mode on some trojan virus ports
(like 12345, 20034, ...) and alert the user when someone do scanning for
searching virus servers. It is a very old program (last version is 1.56 of
Dicember 1999) but I have seen that there are a lot of people that use it
for "protecting them".
Knowing if an host have CheckBO activated is very simple, because if
someone want to connect to the ports in listening, CheckBO try to connect
to some ports of the attacker (12345, 514, ...) for take informations, for
this the attacker can control on his firewall the CheckBO SYN packets.
CheckBO have only an online log (activable only with the authorization)
visible on the web site, but it don't allow logs files on the machine.

BUG:
CheckBO when running on Win9x (NOT NT/2k) is vulnerable at a "flooding" of
chars on its TCP ports (only the tcp ports are vulnerable, for this the
attacker CAN'T spoof his connection); the number of chars must be >= 80000
chars.
After some CheckBO's alert windows that inform the victim about the
attacker connection, he will receive this Windows's alert window:
---
Application Error
Exception ElInvalidOperation in module CHECKBO.EXE at 00026450.
Text exceeds memo capacity.
---
And when the victim close this window, CheckBO kill itself.

HOW TO REPRODUCE:
Some examples:
1) perl -e ' for ($i=1;$i<80000;$i++) { print "A"; } ' | nc <host> <port>
2) nc <host> <port> 80Kbfile.txt
CheckBO listen on these vulnerable TCP ports: 54320, 20034, 12345, 12346,
31337, 31666, 1243, 6713.


FIX:
Nothing

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC