lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030714133719.271ce174.noreply@sec-labs.hack.pl>
From: noreply at sec-labs.hack.pl (sec-labs team)
Subject: [sec-labs] Remote Denial of Service vulnerability in NeoModus
 Direct Connect 1.0 build 9


     sec-labs team proudly presents:
     
     Remote DoS vulnerability in NeoModus Direct Connect 1.0 build 9
     and probably newest version.	  
     by Lord YuP
     13/07/2003



   I. BACKGROUND

     Direct Connect is a windows (i've found also a linux version but
     i don't have time to test it) p2p file-sharing program, well 
     common nowadays.


   II. DESCRIPTION


     Appending to aDe DC Client to Client HandShake looks like:

     	Client <-> Client Communication in DC. 11-05-2002. By aDe 
	---------------------------------------------------------- 

	ACTIVE FILE DOWNLOAD 
	---------------------- 
	D = downloader 
	U = uploader 
	H = hub 

	D>H: $ConnectToMe <U's username> <D's IP and port>|
	H>U: $ConnectToMe <U's username> <D's IP and port>|

	...bla bla ... ;)


     As u can guess, the Direct Connect client after receiving
     "$Connect ToMe..." command from hub, tries to connect to 
     specyfic IP and PORT sent by the Downloader.

     The attacker (evil-downloader) can send infinite requests
     to HUB with specyfic marked ip:port causing DoS attack 
     in the Victim's client. 

     Little example:
     
     Attacker: for (;;) { dc_send("$ConnectToMe victim www.microsoft.com:%d",sample_port++); }

     Client: (runned "netstat -a")
     

	  TCP    jin:1993               JIN:0                  LISTENING
	  TCP    jin:1995               JIN:0                  LISTENING
	  TCP    jin:1996               JIN:0                  LISTENING
	  TCP    jin:2005               JIN:0                  LISTENING
	  TCP    jin:2006               JIN:0                  LISTENING
	  TCP    jin:2007               JIN:0                  LISTENING
	  TCP    jin:2008               JIN:0                  LISTENING
	  TCP    jin:2009               JIN:0                  LISTENING
	  TCP    jin:2010               JIN:0                  LISTENING
	  TCP    jin:2011               JIN:0                  LISTENING
	  TCP    jin:2012               JIN:0                  LISTENING
	  TCP    jin:2013               JIN:0                  LISTENING
	  TCP    jin:2014               JIN:0                  LISTENING
	  TCP    jin:2015               JIN:0                  LISTENING
	  TCP    jin:2016               JIN:0                  LISTENING
	  TCP    jin:2017               JIN:0                  LISTENING
	  TCP    jin:2018               JIN:0                  LISTENING
	  TCP    jin:2019               JIN:0                  LISTENING
	  ...and so on...


   III. IMPACT

     The attacked client may be DoS-ed in case of that internet connection
     can be reseted/stopped, some clients may flood with the "Out of Memory"
     msgboxes in case of that, system may be not working correctly, and DC
     client may be terminated.



-- 
sec-labs team [http://sec-labs.hack.pl]


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030714/29c7e9bb/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ