Author: Auriemma Luigi
PRODUCT: CheckBO, www.checkbo.com
OPERATIVE SYSTEM: ONLY Win9x
INTRODUCTION:
CheckBO is a program that go in listening mode on some trojan virus ports
(like 12345, 20034, ...) and alert the user when someone do scanning for
searching virus servers. It is a very old program (last version is 1.56 of
Dicember 1999) but I have seen that there are a lot of people that use it
for "protecting them".
Knowing if an host have CheckBO activated is very simple, because if
someone want to connect to the ports in listening, CheckBO try to connect
to some ports of the attacker (12345, 514, ...) for take informations, for
this the attacker can control on his firewall the CheckBO SYN packets.
CheckBO have only an online log (activable only with the authorization)
visible on the web site, but it don't allow logs files on the machine.
BUG:
CheckBO when running on Win9x (NOT NT/2k) is vulnerable at a "flooding" of
chars on its TCP ports (only the tcp ports are vulnerable, for this the
attacker CAN'T spoof his connection); the number of chars must be >= 80000
chars.
After some CheckBO's alert windows that inform the victim about the
attacker connection, he will receive this Windows's alert window:
---
Application Error
Exception ElInvalidOperation in module CHECKBO.EXE at 00026450.
Text exceeds memo capacity.
---
And when the victim close this window, CheckBO kill itself.
HOW TO REPRODUCE:
Some examples:
1) perl -e ' for ($i=1;$i<80000;$i++) { print "A"; } ' | nc <host> <port>
2) nc <host> <port> 80Kbfile.txt
CheckBO listen on these vulnerable TCP ports: 54320, 20034, 12345, 12346,
31337, 31666, 1243, 6713.
FIX:
Nothing
This archive was generated by hypermail 2b30 : Fri Apr 20 2001 - 00:47:59 PDT