[Full-disclosure] Axigen <2.0.0b1 DoS

Neil Kettle mu-b at 65535.com
Thu Feb 8 14:47:41 GMT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

attached are two DoS's used in part to win the beta testing
competition of  Axigen (www.axigen.com) mail server for versions
<2.0.0b1, the vulnerabilities affect all platforms..

The first exploit is a single byte underflow causing a probabilistic
integer overflow in a call to memcpy, it will require around 256
attempts before a reasonable probability of success is achieved.

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1231520864 (LWP 8621)]
0xb7d37473 in memmove () from /lib/libc.so.6
(gdb) bt
#0  0xb7d37473 in memmove () from /lib/libc.so.6
#1  0x080a6d02 in ?? ()
#2  0x080a7177 in ?? ()
#3  0x0825afff in ?? ()
#4  0x080a2e77 in ?? ()
#5  0x0834cf6f in ?? ()
#6  0x0834a591 in ?? ()
#7  0x0834611d in ?? ()
#8  0x08373563 in ?? ()
#9  0xb7eda294 in start_thread () from /lib/libpthread.so.0
#10 0xb7d8832e in clone () from /lib/libc.so.6
(gdb) i r
eax            0xffffffff       -1
ecx            0x3f92ce70       1066585712
edx            0xfffffff9       -7
ebx            0x0      0
esp            0xb69872a8       0xb69872a8
ebp            0xb69872d8       0xb69872d8
esi            0xbc9d000        197775360
edi            0xbc9cfff        197775359
eip            0xb7d37473       0xb7d37473 <memmove+35>
eflags         0x10212  [ AF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb)


The second problem simply causes a NULL pointer dereference and will
work flawlessly..
-
---------------------------------------------------------------------------
Neil K
(mu-b at digit-labs.org)
(mu-b at 65535.com)

  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFyzgN+gf4mLMNJygRCHquAKCsdTkq4ZpcobnNOO1Il6AgbRouYgCfVkY2
5/4UqsuilwccN1ggvchDERU=
=+qy/
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: doaxigen.c
Type: text/x-csrc
Size: 4957 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070208/6df4a7e8/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: doaxigen-v2.c
Type: text/x-csrc
Size: 4639 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070208/6df4a7e8/attachment-0001.bin

Full-Disclosure is hosted and sponsored by Secunia.