lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080310224454.87d10848.aluigi@autistici.org>
Date: Mon, 10 Mar 2008 22:44:54 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, news@...uriteam.com,
	full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: NULL pointer in Remotely Anywhere 8.0.668


#######################################################################

                             Luigi Auriemma

Application:  Remotely Anywhere Server and Workstation
              http://www.remotelyanywhere.com
Versions:     <= 8.0.668
Platforms:    Windows
Bug:          NULL pointer
Exploitation: remote
Date:         08 Mar 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Remotely Anywhere is a well known remote administration software.


#######################################################################

======
2) Bug
======


The RemotelyAnywhere.exe process (port 2000) can be easily crashed
through a HTTP request with an invalid Accept-Charset parameter which
leads to a NULL pointer.

The process will be restarted automatically within less than one minute
by the management service so an attacker needs to send the malformed
request at regular intervals for keeping the server down as much as he
desires.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/remotelynowhere.txt

  stunnel http_to_https.conf
  nc 127.0.0.1 80 -v -v < remotelynowhere.txt


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ