lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 12 Apr 2007 11:13:12 +0200
From: infocus@...igo.hr
To: bugtraq@...urityfocus.com
Cc: vuln-dev@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: INFIGO-2007-04-05: Enterprise Security Analyzer server remote
	buffer overflows



                   INFIGO IS Security Advisory #ADV-2007-04-01
                              http://www.infigo.hr/



Title: Enterprise Security Analyzer server remote buffer overflows
Advisory ID: INFIGO-2007-08
Date: 2007-04-05
Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-08-04
Impact: Remote code execution (preauth)
Risk Level: High
Vulnerability Type: Remote
Vendors Status: Vendor contacted 8.2.2007 (first contact),
	        Vendor contacted 19.2.2007 (second contact),
	        Vendor contacted 28.3.2007 (no response)






==[ Overview

Enterprise Security Analyzer (ESA) from eIQnetworks  
(http://www.eIQnetworks.com)
is a Security Information Management (SIM) solution that provides security
intelligence across the enterprise. ESA helps to simplify operations, protect
IT assets and meet compliance mandates by combining multiple functionalities
into a single solution.



==[ Vulnerability

During an audit of Enterprise Security Analyzer, multiple remote buffer
overflows have been discovered in the ESA server (TCP port 10616).
There are various stack and heap overflows in multiple ESA requests.
ESA protocol is a very simple plaintext homemade protocol where requests
are sent in the following form:

---
[REQUEST_COMMAND]&[ARG1]&[ARG2]&[ARG3]&[ARGn]
---
(Note: remove '[' and ']')

Ironically, Enterprise Security Analyzer is affected by various
'by the book' overflows in multiple request commands as listed below:

- DELETESEARCHFOLDER stack overflow
Request: [DELETESEARCHFOLDER&A x 40000...&]

- DELTASK heap overflow
Request: [DELTASK&A x 3000...&current&test&]

- HMGR_CHECKHOSTSCSV heap overflow
Request: [ HMGR_CHECKHOSTSCSV&A x 80000...&]

- TASKUPDATEDUSER heap overflow
Request: [TASKUPDATEDUSER&A x 60000...&test&test&]

- VERIFYUSERKEY remote memory access violation
Request: [VERIFYUSERKEY&A x 13000...&Administrator&127.0.0.1&12345]

- VERIFYPWD remote stack overflow (low risk - admin password needed)
Request: [VERIFYPWD&A x 6000...&admin&adminpass&]



==[ Affected Version

The vulnerability has been identified in the latest available Enterprise
Security Analyzer v2.5. Previous versions are believed to be vulnerable
as well.



==[ Fix

No patch provided.



==[ PoC Exploit

Not needed.



==[ Credits

Vulnerability discovered by Leon Juranic <leon.juranic@...igo.hr>.



==[ INFIGO IS Security Contact

INFIGO IS,

WWW : http://www.infigo.hr
E-mail : infocus@...igo.hr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ