Vulnerability

    Ghost

Affected

    - Symantec Ghost 6.5 for Windows NT/2000
    - Sybase Adaptive Server Anywhere Database Engine V6.0.3.2747

Description

    Following is based on a Defcom Labs Advisory def-2001-21 by  Peter
    Grundl.  Ghost contain flaws  that allow an attacker to  crash the
    application.

    The  first  flaw  involves  the  database  engine,  which  isn't a
    Symantec product, but it is  shipped with Symantec Ghost 6.5  (and
    possibly older  versions as  well).   The database  engine is  the
    run-time engine by Sybase.

    Connecting to the database engine  on tcp port 2638 and  sending a
    string of approx.  45Kb will cause a buffer overflow that  results
    in registers being overwritten.   The database engine needs to  be
    restarted in order to regain functionality.

        "State Dump for Thread Id 0x5c8
         eax=0063f0e4 ebx=0063f204 ecx=41414141 edx=41414141 esi=00630020
         edi=00630000 eip=65719224 esp=08fbfbf0 ebp=00000000
         iopl=0         nv up ei pl nz na po nc
         cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000  efl=00010206"

    The Ghost Configuration Server is running on TCP port 1347. It  is
    periodically vulnerable  to crash  triggered the  same way  as the
    database engine overflow. This  is not a buffer overflow, and  can
    only be used as a DoS attack.

        "The following information has been placed on the clipboard.
         If you would like to visit the Symantec Technical support site at
         http://www.symantec.com/techsupp/ it may help our technicians
         diagnose the problem and improve our product.
        
         Symantec Ghost Configuration Server
         An exception has occurred of type c0000005
         D:\Program Files\Symantec\Ghost\ngserver.exe 6.5.1.144
         [ Limited backtrace only ]
         memmove+0x33
         StreamInterchange::doDispatch+0x1b2
         StreamInterchange::readEvent+0x13e
         SocketEvent::dispatch+0x33
         SocketEvent::wait+0x203"

Solution

    Restricting access to the Ghost Configuration Server might not  be
    applicable, since you would need  that access in order to  use the
    net  capabilities  of  the  program.   The  database engine can be
    restricted to listening on the loopback interface like so:

        1. shut down the configuration server
        2. launch the Sybase engine manually:
           cd "\Program Files\Symantec\Ghost\bin"
           rteng6 -x tcpip(MyIP=127.0.0.1) ..\db\SYMANTECGHOST.DB
           (or  the  equivalent  before  restarting the Symantec Ghost
           Configuration Server service)

    Vendor reponse regarding upgrade:
    1 - Ghost 7.0 ships out to customers on the 2nd of April
    2 - It  is  a   "free"  upgrade  for  those who  purchased Upgrade
        Insurance as part of their license
    3 - Standard upgrade  procedures are available for  those affected
        by the problem

    The issues were resolved in Ghost 7.0, released 2nd of April 2001.

    In response to the DoS on the Configuration Server port (1347) the
    vendor replied:   "Just an FYI  on the defect;  it's not a  buffer
    overflow as such (we're pretty religious about avoiding fixed-size
    buffers  here),  but  rather  a  simple  fencepost  bug  which  is
    triggered by an  error-handling path where  the code at  one layer
    that consumed  some input  fell over  because a  lower-layer error
    function had already cleaned out the buffer."