Vulnerability

    Lockdown

Affected

    Lockdown

Description

    Sektor  Kun  found  following.   All  machines  running   Lockdown
    Corporation's Lockdown AntiTrojan program (ALL VERSIONS).   Tested
    under  Windows98.  Results  may  vary  under  different  operating
    systems, but all are vulnerable to the same problem.

    Lockdowns main display  textbox can only  hold about 61,000  bytes
    of text before it overloads.  An attacker can easily overload  the
    program remotely.   A single connection  attempt on a  trojan port
    such as 1243 results in the following being added to the display:

        [5/3/00 9:19:19 PM] Incoming hack attempt from IP Address: 10.0.0.10
        [5/3/00 9:19:19 PM] Hacker is attempting to gain access using the SubSeven trojan on port 1243.
        [5/3/00 9:19:19 PM] Hacker's connection was terminated by Lockdown 2000.
        [5/3/00 9:19:19 PM] Log auto-saved to: 05032000.LOG

    Almost 300  bytes are  added to  the main  text display  everytime
    somebody connects to a trojan port (it monitors 12345 and 1243  by
    default).  This  means  it  only  takes 203 connection attempts to
    overload  the  program  -  this  is  easily achieved in just a few
    seconds  using  octopus.c  -  a  program  which launches continual
    connections at a port).

    When  the  overload  occurs,   two  main  internal  errors   start
    displaying repeatedly:

        Text exceeds memo capacity.
        Cannot create file C:\PROGRAM FILES\LOCKDOWN 2000 V6.0\ldtr.bat

    (ldtr.bat is simply  a batch file  to launch the  DOS traceroute).
    It's another  burden that  Lockdown shells  to the  DOS prompt  to
    perform  traceroutes,  because  during  the  overload,  dozens  of
    "Winoldap"  processes  start  to  collate  in  the  process  list,
    consuming extra system resources.  At this point, blue  screens of
    death started displaying repetitively, forcing the user to  either
    Reset or kill Lockdown (and the dozens of Winoldap processes).

    Blue screen message:

        A fatal exception 0E has occurred at 0028:C02C54E5 in VXD VCOND(03) +
        00001745. The current application will be terminated.

    After the overload occurs, no activity is recorded by Lockdown.


Solution

    None. Lockdown doesn't give the user the option of _not_ listening
    on these ports, so if Lockdown is running, it is vulnerable.

    According  to  Jeffrey  Eaves  and  in  the opinion of others (see
    links), Lockdown2k is  fraudulent in every  respect;  It  is not a
    firewall, proxy  nor anything  close to  the real  thing.  You can
    walk right past this "software" into a target machine and it  will
    not even notice.  The  "attack" messages it displays are  randomly
    generated to  give the  "impression" that  it is  working for you.
    It does not listen directly to any port; it picks that information
    up much later once a packet has been through the tcp/ip stack (and
    done it's damage), and only then  looks at a couple of well  known
    ports and  forgets about  the other  65,533 ports!   It is  really
    quite  an  unbelievable  effort  to  rip  off the unsuspecting and
    ignorant.  The  more people that  know that this  is bullshit, the
    better.

    Lockdown2k  is  nothing  more  than  a  rehash  of  the failed and
    discredited product Hackerproof98.