[NT] Emerald, RadiusNT/X and Air Marshal NULL Byte Writing
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 10 Feb 2008 19:56:16 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Emerald, RadiusNT/X and Air Marshal NULL Byte Writing
------------------------------------------------------------------------
SUMMARY
All the products developed by IEA Software use some web servers for the
remote administration of the services. The following are the programs
which run this web interface and the ports on which they listen:
* emerwebsrv, 80 and 443
* portald, 81
* schedule, 8010
* radadmn, 8011
* emerdap, 8012
* syslogd, 8013
* eaadmn, 8014
* emernet, 8018
* radlogin, 8020
A vulnerability in the product's web server allows remote attackers to
cause it to crash by sending it a specially malformed Content-Length
value.
DETAILS
Vulnerable Systems:
* Emerald version prior to 5.0.49
* RadiusNT and RadiusX version prior to 5.1.38
* Radius test client version prior to 4.0.20
* Air Marshal version version prior to 2.0.4
For each HTTP POST request the configuration web server starts the
receiving of the client's data using a heap buffer which automatically
increases its size through realloc. When the data received is major than
the integer value specified in Content-Length it stops the operation and
places a NULL byte at the end of the data for delimiting it.
The problem is that using a negative Content-Length value forces the
server to place this 0x00 byte in a location of the memory which goes from
heap_buffer+http_header+0x80000000 to heap_buffer+http_header+0xffffffff
allowing an attacker to crash the server or placing this byte in a better
location which could give him other possibilities of attack.
Exploit:
Send the following:
POST / HTTP/1.0
Host: localhost
Content-Length: 2147483647
Using:
nc SERVER PORT -v -v < emerdal.txt
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/emerdal-adv.txt>
http://aluigi.altervista.org/adv/emerdal-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] IBM DB2 Universal Database db2pd Arbitrary Library Loading Vulnerability
- Next by Date: [NT] Level Platforms Service Center Install Data HTTP Vulnerability
- Previous by thread: [UNIX] IBM DB2 Universal Database db2pd Arbitrary Library Loading Vulnerability
- Next by thread: [NT] Level Platforms Service Center Install Data HTTP Vulnerability
- Index(es):
Relevant Pages
|
|
