lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080208222507.27b1a729.aluigi@autistici.org>
Date: Fri, 8 Feb 2008 22:25:07 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, packet@...ketstormsecurity.org
Subject: NULL byte writing in Emerald, RadiusNT/X and Air Marshal


#######################################################################

                             Luigi Auriemma

Application:  Configuration web server integrated in Emerald,
              RadiusNT/X and Air Marshal
              http://www.iea-software.com
Versions:     Emerald <= 5.0.49
              RadiusNT and RadiusX <= 5.1.38
              Radius test client <= 4.0.20
              Air Marshal version <= 2.0.4
Platforms:    Windows, FreeBSD, Linux and Solaris
Bug:          writing of a NULL byte in the memory
Exploitation: remote
Date:         08 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


All the products developed by IEA Software use some web servers for the
remote administration of the services.
The following are the programs which run this web interface and the
ports on which they listen:
- emerwebsrv, 80 and 443
- portald, 81
- schedule, 8010
- radadmn, 8011
- emerdap, 8012
- syslogd, 8013
- eaadmn, 8014
- emernet, 8018
- radlogin, 8020
- possibly others


#######################################################################

======
2) Bug
======


For each HTTP POST request the configuration web server starts the
receiving of the client's data using a heap buffer which automatically
increases its size through realloc.
When the data received is major than the integer value specified in
Content-Length it stops the operation and places a NULL byte at the end
of the data for delimiting it.

The problem is that using a negative Content-Length value forces the
server to place this 0x00 byte in a location of the memory which goes
from heap_buffer+http_header+0x80000000 to
heap_buffer+http_header+0xffffffff allowing an attacker to crash the
server or placing this byte in a better location which could give him
other possibilities of attack.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/emerdal.txt

  nc SERVER PORT -v -v < emerdal.txt


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ