COMMAND

    nobo bobo

SYSTEMS AFFECTED

    Systems running nobo bobo (a back orifice scanning detector)

PROBLEM

    i-kran  found  following.   To  make  crach  of  Nobo,  just  type
    following lines:

        find /|nc -u 10.1.1.17 31337

    This  make  that  the  NetCat  send  data  to the nobo (bobo) user
    (10.1.1.17) from stdin ("find / ").  Sending a UDP packet  (larger
    than 1024 bytes) will give the error:

        A network error has ocurred: Message too long (10040-92)

    Sending 15 of these packets (the minimum required) will crash nobo
    (stack fault in  kernel32.dll), with NOTHING  recorded to the  log
    file or to the screen.   Some nice scripts could be written  to do
    this to a class  C subnet.  The  only drawback to this  is that it
    would be rather bandwidth-intensive (15 x 1025 bytes x 255).

SOLUTION

    The problem seems  to be that  NOBO isn't dealing  with the packet
    fast enough and, as messages are being delivered (directly to  the
    message  proc  instead  of  being  posted  to  the message queue),
    Windows can't keep up with its call stack and segfault.  Anyway, a
    new version of NOBO (1.3)  was released to handle this  issue, the
    fact it  wasn't logging  the IP  address of  big packets received,
    plus  flood  detection  along  with  other  features.  NOBO can be
    retrieved from its site at

        http://web.cip.com.br/nobo/