####################################################################### Luigi Auriemma Application: 3com / H3C Intelligent Management Center (IMC) http://www.3com.com/IMC_Enterprise/ Versions: <= 3.3 SP2 R2606P13 Platforms: Windows, Linux, Solaris Bug: stack overflow in tftpserver.exe Exploitation: remote, versus server Date: probably found 19 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "3ComŽ Intelligent Management Center (IMC) Enterprise Edition is a self-contained comprehensive management solution, flexible and scalable enough to meet the needs of advanced Enterprise networks." The suite is also known under the vendors HP and H3C (the original developer). ####################################################################### ====== 2) Bug ====== tftserver.exe is a TFTP service running on UDP port 69 and available in the default configuration of IMC. The service is affected by a stack overflow caused by the copying of the transfer mode string (which should be "octet", "netascii" or "mail") in a small buffer of about 16 bytes using toupper() for converting the a-z bytes in capital letters. Note that on Windows the "stack canary" doesn't allow the execution of code (Denial of Service only) so only Solaris and Linux are affected by this vulnerability. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip udpsz -C 000100 -b 0x61 SERVER 69 1024 ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-163 #######################################################################