Author: Auriemma Luigi PRODUCT: CheckBO, www.checkbo.com OPERATIVE SYSTEM: ONLY Win9x INTRODUCTION: CheckBO is a program that go in listening mode on some trojan virus ports (like 12345, 20034, ...) and alert the user when someone do scanning for searching virus servers. It is a very old program (last version is 1.56 of Dicember 1999) but I have seen that there are a lot of people that use it for "protecting them". Knowing if an host have CheckBO activated is very simple, because if someone want to connect to the ports in listening, CheckBO try to connect to some ports of the attacker (12345, 514, ...) for take informations, for this the attacker can control on his firewall the CheckBO SYN packets. CheckBO have only an online log (activable only with the authorization) visible on the web site, but it don't allow logs files on the machine. BUG: CheckBO when running on Win9x (NOT NT/2k) is vulnerable at a "flooding" of chars on its TCP ports (only the tcp ports are vulnerable, for this the attacker CAN'T spoof his connection); the number of chars must be >= 80000 chars. After some CheckBO's alert windows that inform the victim about the attacker connection, he will receive this Windows's alert window: --- Application Error Exception ElInvalidOperation in module CHECKBO.EXE at 00026450. Text exceeds memo capacity. --- And when the victim close this window, CheckBO kill itself. HOW TO REPRODUCE: Some examples: 1) perl -e ' for ($i=1;$i<80000;$i++) { print "A"; } ' | nc <host> <port> 2) nc <host> <port> 80Kbfile.txt CheckBO listen on these vulnerable TCP ports: 54320, 20034, 12345, 12346, 31337, 31666, 1243, 6713. FIX: Nothing
This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 00:47:59 PDT