Date: Fri, 28 May 1999 12:02:15 -0700 From: Chris Radigan <radigac@CERF.NET> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: DoS against PC Anywhere Hello all, This is my first post to the group so I'll try to keep it as brief as possible. Searching through the bugtraq archives, I came across articles 001732, 001734, 001737, and 001739 regarding PC Anywhere. So, I fired up my telnet client, pointed it at port 5631 on a non-production host, and pasted about 512kb of garbage (I copied & pasted a dll I opened in notepad) into it when PC Anywhere responded with "Please press <Enter>". About 200k through this dump, PC Anywhere hangs, utilizing 100% of the CPU, rendering the target host useless but not crashing it. There's your DoS. I ran this attack over TCP/IP against a couple of fully patched NT 4.0 Workstations (SP4), and a couple of fully patched NT 4.0 Servers (SP4), with 802up_a, 802up_b, and hostup_b applied to PC Anywhere, RAS was not installed on any of the hosts. I got the same results on all machines. I got in touch with Symantec development and found out that they do have a fix for this problem, it's a patched aw32tcp.dll, it just hasn't made it to their website yet. I have applied this fix to several machines (all with the afore mentioned PC Anywhere patches applied) and it does indeed fix the problem. Hope this info will help. Thanks for your time. Chris ----------------------------------------------------------------------------- Date: Mon, 31 May 1999 22:24:50 +0200 From: MrJay@GMX.NET To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: DoS against PC Anywhere Hello TRAQers, this is my second list-posting attempt, so please bear with me. Flames will be sent to /dev/nul anyways ;) Concerning PC Anywhere 32 v8.0x, I tried the following attacks: NT 4.0 Workstation (SP4) vs. NT 4.0 Workstation (SP4) and Win 98 (no patches, from what I was told) vs same NT 4.0 Workstation (SP4) All NT 4.0 running PC Anywhere 32 8.0 patched with formerly mentioned Updates except the aw32tcp.dll, which wasn't available to me. Major difference between Chris' and this version: I tested against the German version of PC Anywhere 32. RAS installed, no fancy firewalls, no 'special' security implemented. Not surprisingly the German Version of PC Anywhere didn't react much different. It hung when I posted those ~500KB of trash from the NT 4.0 attacker machine to Port 5631 of the PC Anywhere Host. Result: 100% CPU load, further connections blocked though the Host machine itsself still worked fine and was able to terminate the aw32host service by simply re-starting the Host mode in PC Anywhere. The more interesting one was the Win98 attack. Same procedure, different result. After pasting those 500KB the Server jumps to 100% load for some seconds while working through the trash then it drops back to normal with the attacker's Telnet session again prompting for pressing the 'Enter' key. To make it short, a permanent DoS failed with a Win98 attacker's machine though generating quite some load to the host's 486 CPU ;-) Pheww...because this keeps us safe from about 99% of all attacks ;) Further difference: After pressing 'Enter' (unlike in the NT4.0 attack, where you loose connection) you are prompted for a Username and password.... Could this be due to different possible Host Type options in Telnet (VT 52 on the Win98 vs. VT 100 on NT 4.0)? In this case, could this also be the reason for the different reaction to the attack? Comments? In case this one gets through, thank you for your time. Jay. P.S.: Does anyone know about the release date of the German NT 4.0 Service Pack 5? I couldn't get information on that via the German or U.S. Web-Site. ----------------------------------------------------------------------------- Date: Mon, 31 May 1999 13:34:34 +0200 From: Craig Hind <hindc@icon.co.za> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: DoS against PC Anywhere Hi, I managed to replicate this and checked Symantec's FTP site. There is a new aw32tcp.dll there dated May 26, 1999. I got it and patched one of my machines and it seems to work, although the description of the file on ftp.symantec.com/public/english_us_canada/products/pcanywhere/pcanywhere32/v er8.0/updates does not mention a denial of service. Regards Craig > -----Original Message----- > From: Chris Radigan [mailto:radigac@CERF.NET] > Sent: Friday, May 28, 1999 21:02 > To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM > Subject: DoS against PC Anywhere >