Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. To learn more about our company, products and services or to request a demo of ANVIL FCS please visit our site at http://www.secnetops.com, or call us at: 978-263-3829 Quick Summary: ************************************************************************ Advisory Number : SRT2003-12-04-0723 Product : PLDaniels/PLD Ebola Version : ebola-0.1.4 Vendor : http://pldaniels.com/ebola/ Class : Remote Criticality : High (to Ebola users) Operating System(s) : *nix Notice ************************************************************************ The full technical details of this vulnerability can be found at: http://www.secnetops.com/research/advisories/SRT2003-12-04-0723.txt Basic Explanation ************************************************************************ High Level Description : Ebola daemon contains a remote buffer overflow. What to do : upgrade to ebola-0.1.5 Basic Technical Details ************************************************************************ Proof Of Concept Status : SNO has proof of concept. Low Level Description : Ebola is a AntiVirus scanning daemon system which offers to improve considerably the performance of scanning systems such as AMaViS, Inflex and other such programs which require ondemand scanning from various AV engines. The Ebola daemon contains a remotely exploitable buffer overflow in its authentication sequence. This issue is caused by the handle_PASS() function in ebola.c char outstr[100]; ... if (passwd) { if (PASS_authenticate(username, passwd) == _PASS_OK) { sprintf(outstr,"PASS NOT ACCEPTED for user \"%s\", pass \"%s\".\n",username,passwd); ... Please upgrade to version 0.1.5 of the ebola daemon. Vendor Status : Paul L Daniels promptly responded to this issue, a patch was available immediately after it was reported. Bugtraq URL : To be assigned. Disclaimer ---------------------------------------------------------------------- This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories but can be obtained under contract.. Contact our sales department at sales@secnetops.com for further information on how to obtain proof of concept code. ---------------------------------------------------------------------- Secure Network Operations, Inc. || http://www.secnetops.com "Embracing the future of technology, protecting you."