____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-1998-0001 Release Date: 2004.04.01 Title: Cytlok - Local Network Segment Remote DoS Application/OS: Cytlok for Windows 95 (http://www.cytlok.com) Topic: Cytlok can be used to hang various applications, on remote machines not using Cytlok. Vendor Status: Notified Attributes: Denial of Service Advisory URL: http://www.caughq.org/advisories/CAU-1998-0001.txt Author/Email: I)ruid (druid@caughq.org) ===============/======================================================== Problem ------- Any machine on the local network can fall victim to an attack by another machine on the local network which runs Cytlok, resulting in a denial of service for the application, or the OS will increase system load for a short period of time on the victim machine. Example ------- Cytlok Machine: file://\\Druid\shared\target.txt Cytlok Permissioned target.txt as Non-Read. Target Machine: Netscape: file://\\Druid\shared\target.txt ***NETSCAPE HANGS UNTIL CYTLOK RESPONSE OR TIMEOUT*** Cytlok Machine: Violation on Read Attempt, waits for response. This example works for all applications tested (WinAmp, Eudora, Netscape) Technical Explanation --------------------- When a machine on the local network makes a SMB filesharing connection to a machine running Cytlok, if the Cytlok permissions for the requested file are set to non-readable, the application requesting the file will hang as long as no action is taken in response to the violation box by the Cytlok user. However, if the request is made via Start->Run, it will not hang, only increase system load for a short period of time until the OS gives up on the request. Network Neighborhood locks up the entire machine nicely, until it times out. Because this problem only exists as far as I know by using filesharing connections to cause a file-read violation over a network drive, both machines must exist on the same network. Solution -------- If an application makes the request and hangs, CTRL-ALT-DEL to bring up the task manager, and End the hanging task, or wait for the application to time out on the request. However, waiting for the application to time out is application specific (hehehe) in that some applications may NOT time out, resulting in a permanent hang until the application is shut down. There is no fix or workaround at this time. How To Exploit -------------- Exploiting is trivial. The easiest way I have found is to simply email the file request as a URL to the target user, put up a web page with a link to the file:// URL, etc. This will hang the user's email client or web browser, respectively. Of cource you could just trick someone into going to your share via Network Neighborhood. Note: This combined with a netcat trojan and a while(1) script could get REALLY nasty in a DoS sort of way.