SRT2003-12-04-0723 - PLDaniels Ebola remote overflow

[KF <dotslash@xxxxxxxxxxx>]

I am a little behind on the web page update but regardless here is the 
*necessary* information. Technical details will be available by the 
weekend.
-KF

Secure Network Operations, Inc.             http://www.secnetops.com/research
Strategic Reconnaissance Team               research@xxxxxxxxxxxxx
Team Lead Contact                           kf@xxxxxxxxxxxxx


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

To learn more about our company, products and services or to request a 
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or 
call us at: 978-263-3829


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-12-04-0723
Product                 : PLDaniels/PLD Ebola
Version                 : ebola-0.1.4
Vendor                  : http://pldaniels.com/ebola/
Class                   : Remote
Criticality             : High (to Ebola users)
Operating System(s)     : *nix


Notice
************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com/research/advisories/SRT2003-12-04-0723.txt


Basic Explanation
************************************************************************
High Level Description  : Ebola daemon contains a remote buffer overflow. 
What to do              : upgrade to ebola-0.1.5 


Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has proof of concept. 

Low Level Description   : Ebola is a AntiVirus scanning daemon system 
which offers to improve considerably the performance of scanning systems 
such as AMaViS, Inflex and other such programs which require ondemand 
scanning from various AV engines.

The Ebola daemon contains a remotely exploitable buffer overflow in its
authentication sequence. 

This issue is caused by the handle_PASS() function in ebola.c 

char outstr[100];
...
if (passwd) {
   if (PASS_authenticate(username, passwd) == _PASS_OK) {
        sprintf(outstr,"PASS NOT ACCEPTED for user \"%s\", 
        pass \"%s\".\n",username,passwd);
...

Please upgrade to version 0.1.5 of the ebola daemon. 

Vendor Status           : Paul L Daniels promptly responded to this issue, 
a patch was available immediately after it was reported. 

Bugtraq URL             : To be assigned. 
Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract.. Contact our sales 
department at sales@xxxxxxxxxxxxx for further information on how to 
obtain proof of concept code.

----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."