eSignal v7 remote buffer overflow (exploit)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5
===========-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-===========
VizibleSoft Security Advisory #2004/01 25th Mar 2004
http://viziblesoft.com/insect/advisories/vz012004-esignal7.txt
insect@xxxxxxxxxxxxxxx
===========-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-===========
Product: eSignal 7.6, 7.5 (maybe earlier)
http://www.esignal.com
Systems: Windows (all versions)
Problem: Stack-based buffer overflow
Severity: Remote code execution
Risk: High
-----------------------------------------------------------------------------
Product description:
~~~~~~~~~~~~~~~~~~~~
"eSignal is the nation's leading provider of real-time financial and
market information. eSignal is a popular platform for institutional
and professional traders. eSignal is a market data solution bundled
for best value for small to mid-size institutional investors that
also includes additional optional services..."
Vulnerability:
~~~~~~~~~~~~~~
eSignal main application "WinSig.exe" listens for incoming data
requests on tcp port 80.
While parsing requests, it suffers from classic stack-based buffer
overflow, when parameter string is about 1040 characters long:
C:\>telnet localhost 80
<STREAMQUOTE>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....... x 1040
</STREAMQUOTE>
... bang!
Overflow occurs in Specs.dll and EIP is fully controllable, as
the function return address on the stack is completelly overwritten.
Exploitation:
~~~~~~~~~~~~~
Pretty trivial, except that overflow string can not contain NULL-bytes
and all lower-case characters are converted to upper-case.
As we overwrite stack with return address and code, we use standard
"JMP ESP" technique to direct execution back to us.
"jmp esp" opcode was found in MFC71.dll, which is distributed in eSignal
package and loads from program folder, thus making exploit to be eSignal
version specific instead of OS (Windoze) specific.
While I was working on advisory, eSignal released v7.6 which is
vulnerable as well and even more "overflow-friendly", as previous
was compiled with debug bits for ESP value checking at the end of each
procedure. But in both cases it's almost similar.
Proof of concept code:
~~~~~~~~~~~~~~~~~~~~~~
Exploit written in Perl, which downloads and executes file from
the specified URL available here:
http://viziblesoft.com/insect/sploits/vz-eSignal76.pl
Solution:
~~~~~~~~~
Vendor's technical support ignored my request for company's security
contacts. I wasn't surprised, as the most support staff these days is
zombified and can't figure out doing something they were not programmed
to. Plus, company falls into category of "those who does not care"
moneymakers, so after two weeks time I realized there won't be
any answer.
Thus, solution is obvious:
Close tcp 80 to outside world with your favorite firewall.
Disclaimer:
~~~~~~~~~~~
The information in this advisory is believed to be true though
it may be false. Use of this information constitutes acceptance for use
in an AS IS condition. There are NO warranties with regard to this
information. In no event shall the authors be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.
Legal Notice:
~~~~~~~~~~~~~
This advisory is copyright (c) 2004 VizibleSoft.com
You may distribute it unmodified. You may not modify it and distribute
it or distribute parts of it without the author's written permission -
this especially applies to the so called "vulnerabilities databases"
and "security checkers".
<!huh>
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQIVAwUAQGMb+f/UvuCUTXKfAQERWRAAhj4gp6QOExt2ofKdLWQKdRd/6EHOi8FI
2XLh1EoasSOcaFJh3fB0/L2dZaEKEGTMRuZYPwYguu/BbTGSniCh7nkr5V2hzYZA
a41d6D3vfRQr8kAK+JyDLF0SAsaUHm+AavCKVZKtC/BmDnUvlNJcLXLOMSeFew9R
MkzukqSKhdGww8CkNm++Klp/qL9wArOUQTaUEbLX4IndifEb19ZdGIst/OeXMNzw
s7Bgn6QEcdHroTjOrndS1t3wIyjFR2BeYDVDdGZxksgk9iIqTq4j9IY147NYJ4q3
3ya9Rk9xRlbydpcOFr8t1Ah7B6N3/2lrHFQ3Kv5N3y7n47lAiJiYIqs/Dv88lD8a
G7hZDTULjROJyE+KpU3FE2tvFquasIOPOvhnoIZOs1nMXyGe4zJojkd4qB+zHPjo
ztj+hqBHRY1PkJhgtsKvfIZJMOTCdD9DYk2ouJnAIugevfSbnJcw0S5lyKgmUT/q
KzEgWbOFmHzIuI4JtgjsL2cQxyDIz9NV5nxcTtmX6EqixrPYzGCKoA2biv1aaLLH
PuwKbJNVI7sfzx9dCJddeTiYkd0nsw9uJd/G/QTh18iD6U/9V0ueD/HCc6pdL+kL
j7wh5lNnhi9S0s9d+NNyigKkNk2TblRxXSfdmOajojJAMr9lTm35P4gYcteT7f35
5IvVUQKTeHo=
=kVJa
-----END PGP SIGNATURE-----