Windows NTP Time Server Syslog Monitor 1.0.000 Denial of Service Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Windows NTP Time Server Syslog Monitor 1.0.000 Denial of Service Vulnerability
From: vuln_research@xxxxxxxxxxxxxxxxxxx
Date: Wed, 14 Jan 2009 17:20:49 -0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

[--Vulnerability Summary--]

Title: Windows NTP Time Server Syslog Monitor 1.0.000 Denial of Service 
Vulnerability
Product: Windows NTP Time Server Syslog Monitor 1.0.000

Discovered: November 29, 2008
Discovered by: Rob Kraus, princeofnigeria (PoN)

Vendor: TimeTools
Vendor URL: http://www.timetools.co.uk
Vendor notification date: December 1, 2008
Vendor response date: --
Vendor acknowledgment:--
Vendor provided fix:--
Release coordinated with the vendor: --
Public disclosure date: January 14, 2009

Affects: Windows NTP Time Server Syslog Monitor 1.0.000
Fixed in: No fix currently available.
Risk: High

Vulnerability Description: Windows NTP Time Server Syslog Monitor 1.0.000 is 
vulnerable to a remote denial-of-service vulnerability because it fails to 
handle user-supplied input. Sending a specially crafted UDP Syslog request will 
cause the application to become unstable and stop responding.

Impact: A remote or local attacker can exploit this flaw by sending a specially 
crafted packet to the Syslog server. Successful exploitation of this flaw will 
cause the Syslog server process to crash preventing valid users or devices from 
using the service. The Syslog server will need to be restarted to resume normal 
Syslog server operations.

Keywords: security, vulnerability, syslog, princeofnigeria, windows, server, 
udp, dos, denial of service

[--Background--]

Type of vulnerability: Input validation flaw
Who can exploit it: Local or Remote users

Windows NTP Time Server Syslog Monitor 1.0.000 is an application that provides 
services for receiving system event messages to provide a centralized reporting 
interface for distributed system events. The application should validate and 
sanitize all user input to prevent unexpected conditions.

Per software download sites description: ?TimeTools Windows Atomic Clock NTP 
Server Syslog Daemon is a free utility that runs on any Windows NT/2000/XP/2003 
workstation or server. It allows any syslog messages from any Linux or Unix 
based syslog client to be logged and displayed.?

Vulnerability Scope: The default installation of Windows NTP Time Server Syslog 
Monitor 1.0.000 will allow exploitation of this vulnerability.

[--More Details--]

Exploitation of this flaw can be executed by sending a specially crafted UDP to 
the target server. No exploit code is required.

[--Fix or Workaround Information--]

Patch availability: None
Vendor provided fix: None
Workarounds: None available at this time, design flaw. Discontinue use of this 
product until a stable patch is released.

[--Disclosure Policy--]

PrinceofNigeria.org Vulnerability Disclosure Policy
http://www.princeofnigeria.org/blogs/index.php/vulndev/vulnreleasepolicy/?blog=1

[--Disclosure History--]

Public disclosure date: January 14, 2009

[--References--]
CVE-ID:
Bugtraq ID:
Secunia ID:
OSVDB ID:

[--Author--]
Rob Kraus, princeofnigeria (PoN)
Website: www.princeofnigeria.org/blogs

Prev by Date: TFTPUtil GUI TFTP Server Denial of Service Vulnerability
Next by Date: Re: Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer Overflow
Previous by thread: TFTPUtil GUI TFTP Server Denial of Service Vulnerability
Next by thread: Re: Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer Overflow
Index(es):
- Date
- Thread