OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] Heap overflow in Borland VisiBroker Smart Agent 08.00.00.C1.03

From: Luigi Auriemma (aluigiautistici.org)
Date: Mon Mar 03 2008 - 13:54:25 CST


#######################################################################

                             Luigi Auriemma

Application: Borland VisiBroker Smart Agent
              http://www.borland.com/visibroker/
Versions: <= 08.00.00.C1.03
Platforms: Windows
Bug: heap overflow
Exploitation: remote
Date: 03 Mar 2008
Author: Luigi Auriemma
              e-mail: aluigiautistici.org
              web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

>From vendor's website:
"Borland® VisiBroker® is the most widely deployed CORBA ORB
infrastructure product on the market, with more than 30 million
licenses in use. Its robust CORBA-based environment makes it ideal for
developing and deploying distributed computing applications."

Smart Agent (osagent.exe) is a program which provides ORB object
location and failure detection services, it's an essential component
for allowing remote and local administrators (Borland VisiBroker
Console) to manage and locate the servers in the domain.

#######################################################################

======
2) Bug
======

Smart Agent binds the UDP port 14000 and an UDP and TCP port which
changes at every launch (the first free ports to bind found by the
program).

The protocol used on these three ports (so all exploitables) includes
the handling of strings that are composed by a 32 bit number which
tells how much long is the string and a subsequent 32 bit number which
specifies the size in the packet padded to 8.

It's enough to set 0xffffffff as first number to cause the allocation
of 0 bytes of memory (0xffffffff + 1) and the subsequent usage of
strncpy(allocated_memory, our_string, our_padded_size) which can allow
an attacker to crash the service or possibly executing malicious code.

Exists also a secondary minor vulnerability, in fact the server is
automatically terminated if the amount of memory specified by the
client can't be allocated.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/visibroken.zip

#######################################################################

======
4) Fix
======

No fix

#######################################################################

---
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/