####################################################################### Luigi Auriemma Application: Quest NetVault SmartDisk http://www.bakbone.com/netvault_smartdisk.php Versions: <= 1.2.2 Platforms: Windows, Linux Bug: integer overflow Exploitation: remote, versus server Date: 28 May 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== NetVault SmartDisk is a backup service. ####################################################################### ====== 2) Bug ====== percolatorslave.exe is a service listening on port 37452. The service is affected by an integer overflow in the function that handles the sequence of types/values in the packet. The function gets the amount of entries available, multiplicate it by 16 and allocates the needed memory where will be written the various numbers later. From libnvbasics.dll (base address 66fc0000): 66FD2AD6 |> 83C5 FF ADD EBP,-1 ; amount of entries 66FD2AD9 |. C1E5 04 SHL EBP,4 ; * 16 66FD2ADC |. 83C5 48 ADD EBP,48 ; + 0x48 66FD2ADF |. 6A 00 PUSH 0 66FD2AE1 |. 55 PUSH EBP 66FD2AE2 |. E8 19F3FEFF CALL libnvbas.MemAllocate ; malloc where are added other bytes The proof-of-concept is very basic just to test the bug, so it doesn't "play" with the memory through other packets and concurrent connections or allocates more memory for executing code. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/percolator_1.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################