Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19407
HistoryMar 13, 2008 - 12:00 a.m.

NULL pointer in Remotely Anywhere 8.0.668

2008-03-1300:00:00
vulners.com
61

#######################################################################

                         Luigi Auriemma

Application: Remotely Anywhere Server and Workstation
http://www.remotelyanywhere.com
Versions: <= 8.0.668
Platforms: Windows
Bug: NULL pointer
Exploitation: remote
Date: 08 Mar 2008
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Remotely Anywhere is a well known remote administration software.

#######################################################################

======
2) Bug

The RemotelyAnywhere.exe process (port 2000) can be easily crashed
through a HTTP request with an invalid Accept-Charset parameter which
leads to a NULL pointer.

The process will be restarted automatically within less than one minute
by the management service so an attacker needs to send the malformed
request at regular intervals for keeping the server down as much as he
desires.

#######################################################################

===========
3) The Code

http://aluigi.org/poc/remotelynowhere.txt

stunnel http_to_https.conf
nc 127.0.0.1 80 -v -v < remotelynowhere.txt

#######################################################################

======
4) Fix

No fix

#######################################################################


Luigi Auriemma
http://aluigi.org