exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

vz012004-esignal7.txt

vz012004-esignal7.txt
Posted Mar 26, 2004
Authored by insect | Site viziblesoft.com

VizibleSoft Security Advisory #2004/01 - eSignal versions 7.6 and 7.5 have a stack based buffer overflow in the WinSig.exe binary, allowing for remote code execution.

tags | advisory, remote, overflow, code execution
SHA-256 | ea68e78e59e75709cc5a6d65db16bdb0f0f2c6c08fe4e58d8ddfdfd63c93aebd

vz012004-esignal7.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

===========-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-===========
VizibleSoft Security Advisory #2004/01 25th Mar 2004

http://viziblesoft.com/insect/advisories/vz012004-esignal7.txt
insect@viziblesoft.com
===========-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-===========

Product: eSignal 7.6, 7.5 (maybe earlier)
http://www.esignal.com

Systems: Windows (all versions)

Problem: Stack-based buffer overflow

Severity: Remote code execution

Risk: High
-----------------------------------------------------------------------------

Product description:
~~~~~~~~~~~~~~~~~~~~
"eSignal is the nation's leading provider of real-time financial and
market information. eSignal is a popular platform for institutional
and professional traders. eSignal is a market data solution bundled
for best value for small to mid-size institutional investors that
also includes additional optional services..."


Vulnerability:
~~~~~~~~~~~~~~
eSignal main application "WinSig.exe" listens for incoming data
requests on tcp port 80.

While parsing requests, it suffers from classic stack-based buffer
overflow, when parameter string is about 1040 characters long:

C:\>telnet localhost 80
<STREAMQUOTE>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....... x 1040
</STREAMQUOTE>

... bang!

Overflow occurs in Specs.dll and EIP is fully controllable, as
the function return address on the stack is completelly overwritten.


Exploitation:
~~~~~~~~~~~~~
Pretty trivial, except that overflow string can not contain NULL-bytes
and all lower-case characters are converted to upper-case.

As we overwrite stack with return address and code, we use standard
"JMP ESP" technique to direct execution back to us.

"jmp esp" opcode was found in MFC71.dll, which is distributed in eSignal
package and loads from program folder, thus making exploit to be eSignal
version specific instead of OS (Windoze) specific.

While I was working on advisory, eSignal released v7.6 which is
vulnerable as well and even more "overflow-friendly", as previous
was compiled with debug bits for ESP value checking at the end of each
procedure. But in both cases it's almost similar.


Proof of concept code:
~~~~~~~~~~~~~~~~~~~~~~
Exploit written in Perl, which downloads and executes file from
the specified URL available here:

http://viziblesoft.com/insect/sploits/vz-eSignal76.pl


Solution:
~~~~~~~~~
Vendor's technical support ignored my request for company's security
contacts. I wasn't surprised, as the most support staff these days is
zombified and can't figure out doing something they were not programmed
to. Plus, company falls into category of "those who does not care"
moneymakers, so after two weeks time I realized there won't be
any answer.

Thus, solution is obvious:

Close tcp 80 to outside world with your favorite firewall.


Disclaimer:
~~~~~~~~~~~
The information in this advisory is believed to be true though
it may be false. Use of this information constitutes acceptance for use
in an AS IS condition. There are NO warranties with regard to this
information. In no event shall the authors be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

Legal Notice:
~~~~~~~~~~~~~
This advisory is copyright (c) 2004 VizibleSoft.com
You may distribute it unmodified. You may not modify it and distribute
it or distribute parts of it without the author's written permission -
this especially applies to the so called "vulnerabilities databases"
and "security checkers".

<!huh>

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQIVAwUAQGMb+f/UvuCUTXKfAQERWRAAhj4gp6QOExt2ofKdLWQKdRd/6EHOi8FI
2XLh1EoasSOcaFJh3fB0/L2dZaEKEGTMRuZYPwYguu/BbTGSniCh7nkr5V2hzYZA
a41d6D3vfRQr8kAK+JyDLF0SAsaUHm+AavCKVZKtC/BmDnUvlNJcLXLOMSeFew9R
MkzukqSKhdGww8CkNm++Klp/qL9wArOUQTaUEbLX4IndifEb19ZdGIst/OeXMNzw
s7Bgn6QEcdHroTjOrndS1t3wIyjFR2BeYDVDdGZxksgk9iIqTq4j9IY147NYJ4q3
3ya9Rk9xRlbydpcOFr8t1Ah7B6N3/2lrHFQ3Kv5N3y7n47lAiJiYIqs/Dv88lD8a
G7hZDTULjROJyE+KpU3FE2tvFquasIOPOvhnoIZOs1nMXyGe4zJojkd4qB+zHPjo
ztj+hqBHRY1PkJhgtsKvfIZJMOTCdD9DYk2ouJnAIugevfSbnJcw0S5lyKgmUT/q
KzEgWbOFmHzIuI4JtgjsL2cQxyDIz9NV5nxcTtmX6EqixrPYzGCKoA2biv1aaLLH
PuwKbJNVI7sfzx9dCJddeTiYkd0nsw9uJd/G/QTh18iD6U/9V0ueD/HCc6pdL+kL
j7wh5lNnhi9S0s9d+NNyigKkNk2TblRxXSfdmOajojJAMr9lTm35P4gYcteT7f35
5IvVUQKTeHo=
=kVJa
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close