OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Gründl (peter.grundlDEFCOM.COM)
Date: Wed Apr 11 2001 - 08:51:50 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ======================================================================
                      Defcom Labs Advisory def-2001-21

                             Ghost Multiple DoS

    Author: Peter Gründl <peter.grundldefcom.com>
    Release Date: 2001-04-11
    ======================================================================
    ------------------------=[Brief Description]=-------------------------
    Ghost contain flaws that allow an attacker to crash the application.

    ------------------------=[Affected Systems]=--------------------------
    - Symantec Ghost 6.5 for Windows NT/2000
    - Sybase Adaptive Server Anywhere Database Engine V6.0.3.2747

    ----------------------=[Detailed Description]=------------------------
    The first flaw involves the database engine, which isn't a Symantec
    product, but it is shipped with Symantec Ghost 6.5 (and possibly older
    versions as well). The database engine is the run-time engine by
    Sybase.

    Connecting to the database engine on tcp port 2638 and sending a
    string of approx. 45Kb will cause a buffer overflow that results in
    registers being overwritten. The database engine needs to be restarted
    in order to regain functionality.

    "State Dump for Thread Id 0x5c8
     eax=0063f0e4 ebx=0063f204 ecx=41414141 edx=41414141 esi=00630020
     edi=00630000 eip=65719224 esp=08fbfbf0 ebp=00000000
     iopl=0 nv up ei pl nz na po nc
     cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206"

    The Ghost Configuration Server is running on TCP port 1347. It is
    periodically vulnerable to crash triggered the same way as the
    database engine overflow. This is not a buffer overflow, and can only
    be used as a DoS attack.

    "The following information has been placed on the clipboard.
     If you would like to visit the Symantec Technical support site at
     http://www.symantec.com/techsupp/ it may help our technicians
     diagnose the problem and improve our product.

     Symantec Ghost Configuration Server
     An exception has occurred of type c0000005
     D:\Program Files\Symantec\Ghost\ngserver.exe 6.5.1.144
     [ Limited backtrace only ]
     memmove+0x33
     StreamInterchange::doDispatch+0x1b2
     StreamInterchange::readEvent+0x13e
     SocketEvent::dispatch+0x33
     SocketEvent::wait+0x203"

    ---------------------------=[Workaround]=-----------------------------
    Restricting access to the Ghost Configuration Server might not be
    applicable, since you would need that access in order to use the net
    capabilities of the program.

    The database engine can be restricted to listening on the loopback
    interface like so:

    1. shut down the configuration server
    2. launch the Sybase engine manually:
            cd "\Program Files\Symantec\Ghost\bin"
            rteng6 -x tcpip(MyIP=127.0.0.1) ..\db\SYMANTECGHOST.DB
     (or the equivalent before restarting the Symantec Ghost
      Configuration Server service)

    Vendor reponse regarding upgrade:
    "1 - Ghost 7.0 ships out to customers on the 2nd of April
     2 - It is a "free" upgrade for those who purchased Upgrade Insurance
         as part of their license
     3 - Standard upgrade procedures are available for those affected by
     the problem

     Direct all inquires to www.symantec.com/ghost and/or
     www.binaryresearch.net"

    -------------------------=[Vendor Response]=--------------------------
    The issues were brought to the vendors attention on the 21st of
    December, 2000. The issues were resolved in Ghost 7.0, released 2nd of
    April, 2001.

    In response to the DoS on the Configuration Server port (1347) the
    vendor replied:

    "Just an FYI on the defect; it's not a buffer overflow as such (we're
     pretty religious about avoiding fixed-size buffers here), but rather
     a simple fencepost bug which is triggered by an error-handling path
     where the code at one layer that consumed some input fell over
     because a lower-layer error function had already cleaned out the
     buffer."

    ======================================================================
                This release was brought to you by Defcom Labs

                  labsdefcom.com www.defcom.com
    ======================================================================