[Plugins-writers] Bug in plugin 11673 (Remote PC Access Server Detection)

From: Hubert Seiwert (hubert@private)
Date: Mon May 23 2005 - 08:28:04 PDT


this plugin returned a false positive on port 143, misidentifying the 
Exchange IMAP service as Remote PC.
Looking at the source there is an apparent bug:

send(socket:soc, data:raw_string(0x28, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00));
    r = recv(socket:soc, length:57);
    if(strlen(r) == 57 && ord(r[0]) == 0x2A) 

The r buffer is limited to 57 characters, and the following test checks 
whether it's 57 characters long.
This means that any response which starts with a * (hex 2A) and is at 
least 57 characters long will trigger the plugin
("* OK Microsoft Exchange 2000 IMAP4rev1 server version 6.0 version 
6.0.6603.0 (xxx) ready" in this case).

I've attached a "fixed" version which increases the recv buffer length 
to 8k.
I presume this would still identify a real Remote PC server, while 
reducing false positives.
A longer signature would be ideal, but we don't have a copy of Remote PC 
available to test.


Hubert Seiwert

Internet Security Specialist, Westpoint Ltd
Albion Wharf, 19 Albion Street, Manchester M1 5LN, United Kingdom

Web: www.westpoint.ltd.uk
Tel: +44-161-2371028

Plugins-writers mailing list

This archive was generated by hypermail 2.1.3 : Mon May 23 2005 - 08:28:57 PDT