lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 3 Mar 2008 20:54:25 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, news@...uriteam.com,
	full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Heap overflow in Borland VisiBroker Smart Agent
	08.00.00.C1.03


#######################################################################

                             Luigi Auriemma

Application:  Borland VisiBroker Smart Agent
              http://www.borland.com/visibroker/
Versions:     <= 08.00.00.C1.03
Platforms:    Windows
Bug:          heap overflow
Exploitation: remote
Date:         03 Mar 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>>From vendor's website:
"BorlandĀ® VisiBrokerĀ® is the most widely deployed CORBA ORB
infrastructure product on the market, with more than 30 million
licenses in use. Its robust CORBA-based environment makes it ideal for
developing and deploying distributed computing applications."

Smart Agent (osagent.exe) is a program which provides ORB object
location and failure detection services, it's an essential component
for allowing remote and local administrators (Borland VisiBroker
Console) to manage and locate the servers in the domain.


#######################################################################

======
2) Bug
======


Smart Agent binds the UDP port 14000 and an UDP and TCP port which
changes at every launch (the first free ports to bind found by the
program).

The protocol used on these three ports (so all exploitables) includes
the handling of strings that are composed by a 32 bit number which
tells how much long is the string and a subsequent 32 bit number which
specifies the size in the packet padded to 8.

It's enough to set 0xffffffff as first number to cause the allocation
of 0 bytes of memory (0xffffffff + 1) and the subsequent usage of
strncpy(allocated_memory, our_string, our_padded_size) which can allow
an attacker to crash the service or possibly executing malicious code.

Exists also a secondary minor vulnerability, in fact the server is
automatically terminated if the amount of memory specified by the
client can't be allocated.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/visibroken.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists