On Thu, 4 Feb 1999, Andrew J. Gavin wrote: > As reported by i-kranat_private approximately a week ago, nobo (a back > orifice scanning detector) has a buffer overflow problem that will crash > the program remotely. Sending a UDP packet (larger than 1024 bytes) will > give the error: > > A network error has ocurred: Message too long (10040-92) > > Sending 15 of these packets (the minimum required) will crash nobo (stack > fault in kernel32.dll), with NOTHING recorded to the log file or to the > screen. (...) Although this doesn't look like a buffer overflow (it is not a buffer overflow in NOBO code), it's really a DoS. NOBO uses "async select" to know when data is waiting to be read in its socket. For those people which doesn't know how this feature work, Windows send an ordinary window message to NOBO whenever its socket has data to be read. The problem seems to be that NOBO isn't dealing with the packet fast enough and, as messages are being delivered (directly to the message proc instead of being posted to the message queue), Windows can't keep up with its call stack and segfault. Anyway, a new version of NOBO (1.3) was released to handle this issue, the fact it wasn't logging the IP address of big packets received, plus flood detection along with other features. NOBO can be retrieved from its site at http://web.cip.com.br/nobo/. -- Flavio
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:22 PDT