####################################################################### Luigi Auriemma Application: 3com / H3C iNode Management Center Versions: <= V3.60-E6301 Platforms: Windows Bug: stack overflow Exploitation: remote, versus server Date: probably found 19 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Explanation of the iNodeMngChecker.exe service running on the SSL port 9090: "The iNode intelligent management center uses this port to listen to the license check request from clients, and determines whether the clients require upgrade or the center needs to issue upgrade package according to the requests." http://support.3com.com/documents/netmgr/imc/readme_iNode_Mgmt_Center_3.60-E6209.html ####################################################################### ====== 2) Bug ====== The iNodeMngChecker.exe service running on port 9090 is vulnerable to some stack buffer overflows caused by code starting from address 0040c4eb that copies the data received through SSL_read (4 kilobytes) to the 5 fields located above it. These overflows happen with all the string-related opcodes: 0x14, 0x15, 0x19, 0x1b and 0x1c. The service uses a stack canary that gets bypassed by forcing another exception after which happens the code execution. ####################################################################### =========== 3) The Code =========== http://aluigi.org/mytoolz/stcppipe.zip http://aluigi.org/poc/inodemc_1.dat stcppipe -Y 2 SERVER 9090 1234 nc localhost 1234 < inodemc_1.dat ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-232 #######################################################################