[20162] in bugtraq
def-2001-21: Ghost Multiple DoS
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Peter_Gr=FCndl?=)
Wed Apr 11 16:16:38 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID: <02df01c0c28e$8f3629d0$71002d0a@dk.defcomsec.com>
Date: Wed, 11 Apr 2001 15:51:50 +0200
Reply-To: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
From: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
======================================================================
Defcom Labs Advisory def-2001-21
Ghost Multiple DoS
Author: Peter Gründl <peter.grundl@defcom.com>
Release Date: 2001-04-11
======================================================================
------------------------=[Brief Description]=-------------------------
Ghost contain flaws that allow an attacker to crash the application.
------------------------=[Affected Systems]=--------------------------
- Symantec Ghost 6.5 for Windows NT/2000
- Sybase Adaptive Server Anywhere Database Engine V6.0.3.2747
----------------------=[Detailed Description]=------------------------
The first flaw involves the database engine, which isn't a Symantec
product, but it is shipped with Symantec Ghost 6.5 (and possibly older
versions as well). The database engine is the run-time engine by
Sybase.
Connecting to the database engine on tcp port 2638 and sending a
string of approx. 45Kb will cause a buffer overflow that results in
registers being overwritten. The database engine needs to be restarted
in order to regain functionality.
"State Dump for Thread Id 0x5c8
eax=0063f0e4 ebx=0063f204 ecx=41414141 edx=41414141 esi=00630020
edi=00630000 eip=65719224 esp=08fbfbf0 ebp=00000000
iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206"
The Ghost Configuration Server is running on TCP port 1347. It is
periodically vulnerable to crash triggered the same way as the
database engine overflow. This is not a buffer overflow, and can only
be used as a DoS attack.
"The following information has been placed on the clipboard.
If you would like to visit the Symantec Technical support site at
http://www.symantec.com/techsupp/ it may help our technicians
diagnose the problem and improve our product.
Symantec Ghost Configuration Server
An exception has occurred of type c0000005
D:\Program Files\Symantec\Ghost\ngserver.exe 6.5.1.144
[ Limited backtrace only ]
memmove+0x33
StreamInterchange::doDispatch+0x1b2
StreamInterchange::readEvent+0x13e
SocketEvent::dispatch+0x33
SocketEvent::wait+0x203"
---------------------------=[Workaround]=-----------------------------
Restricting access to the Ghost Configuration Server might not be
applicable, since you would need that access in order to use the net
capabilities of the program.
The database engine can be restricted to listening on the loopback
interface like so:
1. shut down the configuration server
2. launch the Sybase engine manually:
cd "\Program Files\Symantec\Ghost\bin"
rteng6 -x tcpip(MyIP=127.0.0.1) ..\db\SYMANTECGHOST.DB
(or the equivalent before restarting the Symantec Ghost
Configuration Server service)
Vendor reponse regarding upgrade:
"1 - Ghost 7.0 ships out to customers on the 2nd of April
2 - It is a "free" upgrade for those who purchased Upgrade Insurance
as part of their license
3 - Standard upgrade procedures are available for those affected by
the problem
Direct all inquires to www.symantec.com/ghost and/or
www.binaryresearch.net"
-------------------------=[Vendor Response]=--------------------------
The issues were brought to the vendors attention on the 21st of
December, 2000. The issues were resolved in Ghost 7.0, released 2nd of
April, 2001.
In response to the DoS on the Configuration Server port (1347) the
vendor replied:
"Just an FYI on the defect; it's not a buffer overflow as such (we're
pretty religious about avoiding fixed-size buffers here), but rather
a simple fencepost bug which is triggered by an error-handling path
where the code at one layer that consumed some input fell over
because a lower-layer error function had already cleaned out the
buffer."
======================================================================
This release was brought to you by Defcom Labs
labs@defcom.com www.defcom.com
======================================================================
