what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

os2a_1008.txt

os2a_1008.txt
Posted Nov 14, 2006
Authored by Jayesh KS, Arun Kethipelly

Remote exploitation of a denial of service vulnerability in ELOG's elogd server allows attackers to crash the service. Versions 2.6.2 (SVN revision 1748) and below are affected.

tags | advisory, remote, denial of service
SHA-256 | 198b2f0e24232dd25c7698cea3f1e16a3cb4e3422d58cdfb5df4c0060fdc91b6

os2a_1008.txt

Change Mirror Download
ELOG Web Logbook Remote Denial of Service Vulnerability


OS2A ID: OS2A_1008 Status:
10/31/2006 Issue Discovered
11/08/2006 Reported to the Vendor
11/08/2006 Fixed by Vendor
11/10/2006 Advisory Released


Class: Denial of Service Severity: Medium


Overview:
---------
The Electronic Logbook (ELOG) is part of a family of applications known as
weblogs. ELOG is a remarkable implementation of a weblog in its simplicity of
use and versatility.
http://midas.psi.ch/elog/index.html

Description:
------------
Remote exploitation of a denial of service vulnerability in ELOG's
elogd server allows attackers to crash the service, thereby preventing
legitimate access.

The [global] section in configuration file elogd.cfg is used for settings
common to all logbooks. The vulnerability is due to improper handling of an
HTTP GET request if logbook name 'global' (or any logbook name prefixed
with global) is used in the request. When such a request is received,
a NULL pointer dereference occurs, leading to a crash of the service.

Only authenticated users can exploit this vulnerability if the application
is configured with password.

Impact:
-------
Successful exploitation allows a remote attacker to crash the elogd server.

Affected Software(s):
---------------------
ELOG 2.6.2 (SVN revision 1748) and prior.
Debian package elog 2.6.2+r1719-1 and prior are also vulnerable.

Proof of Concept:
-----------------
The HTTP GET request given below is sufficient to crash affected server:
http://www.example.com/global/
or
Create a logbook [global_xxx] or [global xxx] in elogd.cfg
and try to access it using a browser.
http://www.example.com/global_xxx/
http://www.example.com/global%20xxx/

Analysis:
-----------
#gdb ./elogd
...
...

(gdb) break show_elog_list
Breakpoint 2 at 0x809d6e0

(gdb) c
Continuing.
(no debugging symbols found)
elogd 2.6.2 built Nov 8 2006, 01:25:48 revision 1699
Falling back to default group "elog"
Falling back to default user "elog"
Indexing logbooks ... done
Server listening on port 8080 ...

Breakpoint 2, 0x0809d6e0 in show_elog_list ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x0809eb7a in show_elog_list ()

(gdb) bt
#0 0x0809eb7a in show_elog_list ()
#1 0x00000000 in ?? ()

(gdb) i r
eax 0x0 0
ecx 0x9d43d88 164904328
edx 0x0 0
ebx 0x0 0
esp 0xbfa8aca0 0xbfa8aca0
ebp 0x80df40c 0x80df40c
esi 0xbfb27050 -1078824880
edi 0x0 0
eip 0x809eb7a 0x809eb7a
eflags 0x200246 2097734
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51

(gdb) x/i $eip
0x809eb7a <show_elog_list+5274>: mov (%eax),%eax

The vulnerable code is at Line:16774 of elogd.c,
n_msg = *lbs->n_el_index;
where the pointer lbs is dereferenced before being null checked.

--- elogd.c, show_elog_list() -----

} else {
n_logbook = 1;
n_msg = *lbs->n_el_index;
}

msg_list = xmalloc(sizeof(MSG_LIST) * n_msg);

---elogd.c, show_elog_list() -----


CVSS Score Report:
-----------------
ACCESS_VECTOR = REMOTE
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = NONE
INTEGRITY_IMPACT = NONE
AVAILABILITY_IMPACT = COMPLETE
IMPACT_BIAS = AVAILABILITY
EXPLOITABILITY = FUNCTIONAL
REMEDIATION_LEVEL = OFFICIAL_FIX
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 5.0 (AV:R/AC:L/Au:NR/C:N/I:N/A:C/B:A)
CVSS Temporal Score = 4.1
Risk factor = Medium



Vendor Response:
---------------
Vendor has acknowledged the vulnerability and released a fixed version,
ELOG version 2.6.2-7 (SVN revision 1749).
http://savannah.psi.ch/websvn/log.php?repname=elog&path=%2Ftrunk%2F&rev=0&sc=0&isdir=1
(Revisions 1746-1749)

Debian has fixed this issue in elog_2.6.2+r1754-1,
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397875

Solution:
---------
Install the fixed version,
ELOG version 2.6.2-7 (SVN revision 1749) or later.
http://midas.psi.ch/elog/download.html

For debian, update to elog_2.6.2+r1754-1 or later.


Credits:
-------
Jayesh KS and Arun Kethipelly of OS2A have been credited with the discovery and
analysis of this vulnerability.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close