#######################################################################

                             Luigi Auriemma

Application:  Zilab Remote Console Server
              http://www.zilab.com
Versions:     <= 3.2.9
Platforms:    Windows
              (note that the effect could be non replicable on Windows
              Server since depends by how are handled the errors)
Bug:          Denial of Service
Exploitation: remote
Date:         21 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"Zilab Remote Console Server is a highly developed remote access server
for Windows XP/2000/NT with an advanced set of features."


#######################################################################

======
2) Bug
======


The server uses a new instance of zrca.exe for each new client's
connection.
This sub-process can be easily crashed through the sending of a packet
with a specified size smaller than the protocol's header (6 bytes)
which will keep the process active until the error message on the
screen is not acknowledged by the admin.

After about 80 semi-dead processes the server will be no longer able to
handle new clients.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/zilabzrcsdos.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################