From peter.grundl@DEFCOM.COM Wed Apr 11 18:13:55 2001 From: "[iso-8859-1] Peter Gründl" To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 11 Apr 2001 15:51:50 +0200 Subject: [BUGTRAQ] def-2001-21: Ghost Multiple DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ====================================================================== Defcom Labs Advisory def-2001-21 Ghost Multiple DoS Author: Peter Gründl Release Date: 2001-04-11 ====================================================================== ------------------------=[Brief Description]=------------------------- Ghost contain flaws that allow an attacker to crash the application. ------------------------=[Affected Systems]=-------------------------- - Symantec Ghost 6.5 for Windows NT/2000 - Sybase Adaptive Server Anywhere Database Engine V6.0.3.2747 ----------------------=[Detailed Description]=------------------------ The first flaw involves the database engine, which isn't a Symantec product, but it is shipped with Symantec Ghost 6.5 (and possibly older versions as well). The database engine is the run-time engine by Sybase. Connecting to the database engine on tcp port 2638 and sending a string of approx. 45Kb will cause a buffer overflow that results in registers being overwritten. The database engine needs to be restarted in order to regain functionality. "State Dump for Thread Id 0x5c8 eax=0063f0e4 ebx=0063f204 ecx=41414141 edx=41414141 esi=00630020 edi=00630000 eip=65719224 esp=08fbfbf0 ebp=00000000 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206" The Ghost Configuration Server is running on TCP port 1347. It is periodically vulnerable to crash triggered the same way as the database engine overflow. This is not a buffer overflow, and can only be used as a DoS attack. "The following information has been placed on the clipboard. If you would like to visit the Symantec Technical support site at http://www.symantec.com/techsupp/ it may help our technicians diagnose the problem and improve our product. Symantec Ghost Configuration Server An exception has occurred of type c0000005 D:\Program Files\Symantec\Ghost\ngserver.exe 6.5.1.144 [ Limited backtrace only ] memmove+0x33 StreamInterchange::doDispatch+0x1b2 StreamInterchange::readEvent+0x13e SocketEvent::dispatch+0x33 SocketEvent::wait+0x203" ---------------------------=[Workaround]=----------------------------- Restricting access to the Ghost Configuration Server might not be applicable, since you would need that access in order to use the net capabilities of the program. The database engine can be restricted to listening on the loopback interface like so: 1. shut down the configuration server 2. launch the Sybase engine manually: cd "\Program Files\Symantec\Ghost\bin" rteng6 -x tcpip(MyIP=127.0.0.1) ..\db\SYMANTECGHOST.DB (or the equivalent before restarting the Symantec Ghost Configuration Server service) Vendor reponse regarding upgrade: "1 - Ghost 7.0 ships out to customers on the 2nd of April 2 - It is a "free" upgrade for those who purchased Upgrade Insurance as part of their license 3 - Standard upgrade procedures are available for those affected by the problem Direct all inquires to www.symantec.com/ghost and/or www.binaryresearch.net" -------------------------=[Vendor Response]=-------------------------- The issues were brought to the vendors attention on the 21st of December, 2000. The issues were resolved in Ghost 7.0, released 2nd of April, 2001. In response to the DoS on the Configuration Server port (1347) the vendor replied: "Just an FYI on the defect; it's not a buffer overflow as such (we're pretty religious about avoiding fixed-size buffers here), but rather a simple fencepost bug which is triggered by an error-handling path where the code at one layer that consumed some input fell over because a lower-layer error function had already cleaned out the buffer." ====================================================================== This release was brought to you by Defcom Labs labs@defcom.com www.defcom.com ======================================================================