####################################################################### Luigi Auriemma Application: 3com / H3C Intelligent Management Center (IMC) http://www.3com.com/IMC_Enterprise/ Versions: <= 3.3 SP2 R2606P13 Platforms: Windows, Linux, Solaris Bug: heap overflow in img.exe Exploitation: remote, versus server Date: probably found 18 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "3ComŽ Intelligent Management Center (IMC) Enterprise Edition is a self-contained comprehensive management solution, flexible and scalable enough to meet the needs of advanced Enterprise networks." The suite is also known under the vendors HP and H3C (the original developer). ####################################################################### ====== 2) Bug ====== img.exe is a service running on port 8800 and available in the default configuration of IMC. The service is affected by a heap overflow in the function starting at address 00409300 where is possible to force the continuous appending of data through a loop that calls recv() over a buffer of about 0x00020000 bytes till the leading of code execution in ACE.dll: 10075B11 8B92 68010000 MOV EDX,DWORD PTR DS:[EDX+168] <= EDX controlled 10075B17 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14] 10075B1B 50 PUSH EAX 10075B1C 57 PUSH EDI 10075B1D 8BCE MOV ECX,ESI 10075B1F FFD2 CALL EDX This is possible due to a couple of integer overflows on the 32bit value indicating the amount of data to copy (0xffff8785 for exploiting the vulnerability). ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/imc_4.zip ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-170 #######################################################################