Date: Fri, 28 May 1999 12:02:15 -0700
From: Chris Radigan <radigac@CERF.NET>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: DoS against PC Anywhere


Hello all,
This is my first post to the group so I'll try to keep it as brief as
possible.  Searching through the bugtraq archives, I came across articles
001732, 001734, 001737, and 001739 regarding PC Anywhere.  So, I fired up my
telnet client, pointed it at port 5631 on a non-production host, and pasted
about 512kb of garbage (I copied & pasted a dll I opened in notepad) into it
when PC Anywhere responded with "Please press <Enter>".  About 200k through
this dump, PC Anywhere hangs, utilizing 100% of the CPU, rendering the
target host useless but not crashing it. There's your DoS.

I ran this attack over TCP/IP against a couple of fully patched NT 4.0
Workstations (SP4), and a couple of fully patched NT 4.0 Servers (SP4), with
802up_a, 802up_b, and hostup_b applied to PC Anywhere, RAS was not installed
on any of the hosts. I got the same results on all machines.

I got in touch with Symantec development and found out that they do have a
fix for this problem, it's a patched aw32tcp.dll, it just hasn't made it to
their website yet.  I have applied this fix to several machines (all with
the afore mentioned PC Anywhere patches applied) and it does indeed fix the
problem.

Hope this info will help.  Thanks for your time.

Chris

-----------------------------------------------------------------------------

Date: Mon, 31 May 1999 22:24:50 +0200
From: MrJay@GMX.NET
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: DoS against PC Anywhere

Hello TRAQers,

this is my second list-posting attempt, so please bear with me. Flames will be sent to /dev/nul anyways ;)

Concerning PC Anywhere 32 v8.0x, I tried the following attacks:

NT 4.0 Workstation (SP4) vs. NT 4.0 Workstation (SP4)
and
Win 98 (no patches, from what I was told) vs same NT 4.0 Workstation (SP4)

All NT 4.0 running PC Anywhere 32 8.0 patched with formerly mentioned Updates except the aw32tcp.dll, which wasn't available to
me. Major difference between Chris' and this version: I tested against the German version of PC Anywhere 32. RAS installed, no
fancy firewalls, no 'special' security implemented.

Not surprisingly the German Version of PC Anywhere didn't react much different. It hung when I posted those ~500KB of trash from
the NT 4.0 attacker machine to Port 5631 of the PC Anywhere Host. Result: 100% CPU load, further connections blocked though the
Host machine itsself still worked fine and was able to terminate the aw32host service by simply re-starting the Host mode in PC
Anywhere.

The more interesting one was the Win98 attack. Same procedure, different result. After pasting those 500KB the Server jumps to
100% load for some seconds while working through the trash then it drops back to normal with the attacker's Telnet session again
prompting for pressing the 'Enter' key. To make it short, a permanent DoS failed with a Win98 attacker's machine though
generating quite some load to the host's 486 CPU ;-) Pheww...because this keeps us safe from about 99% of all attacks ;)
Further difference: After pressing 'Enter' (unlike in the NT4.0 attack, where you loose connection) you are prompted for a
Username and password.... Could this be due to different possible Host Type options in Telnet (VT 52 on the Win98 vs. VT 100 on
NT 4.0)? In this case, could this also be the reason for the different reaction to the attack? Comments?

In case this one gets through, thank you for your time.

Jay.

P.S.: Does anyone know about the release date of the German NT 4.0 Service Pack 5? I couldn't get information on that via the
German or U.S. Web-Site.

-----------------------------------------------------------------------------

Date: Mon, 31 May 1999 13:34:34 +0200
From: Craig Hind <hindc@icon.co.za>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: DoS against PC Anywhere

Hi,

I managed to replicate this and checked Symantec's FTP site. There is a new
aw32tcp.dll there dated May 26, 1999. I got it and patched one of my
machines and it seems to work, although the description of the file on
ftp.symantec.com/public/english_us_canada/products/pcanywhere/pcanywhere32/v
er8.0/updates does not mention a denial of service.

Regards
Craig



> -----Original Message-----
> From: Chris Radigan [mailto:radigac@CERF.NET]
> Sent: Friday, May 28, 1999 21:02
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: DoS against PC Anywhere
>