Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] BakBone NetVault Reporter Scheduler Heap Overflow Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] BakBone NetVault Reporter Scheduler Heap Overflow Vulnerability
Date: 26 Jul 2007 18:19:56 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  BakBone NetVault Reporter Scheduler Heap Overflow Vulnerability
------------------------------------------------------------------------


SUMMARY

" <http://www.bakbone.com/product.aspx?id=1404> NetVault Report Manager 
provides file system and backup reporting for single or multi-server 
environments from one common interface." Vulnerability in BakBone NetVault 
Reporter allows arbitrary code execution on the vulnerable system.

DETAILS

Vulnerable Systems:
 * BakBone NetVault Reporter 3.5 before Update4 installed.

The specific flaw exists both within the scheduler client 
(clsscheduler.exe) listening on TCP port 7978 and the scheduler server 
(srvscheduler.exe) listening on TCP port 7977. In both cases an 
exploitable heap corruption can occur during the processing of overly long 
filename arguments to the "GET" and "POST" requests. Code execution is 
possible under the context of the SYSTEM user.

When searching for a termination/whitespace character ("\r\t\n") a heap 
chunk is being used to hold the data. Due to the lack of bounds checking 
on this heap chunk an overflow occurs when a long string without any of 
the above special characters are encountered. The vulnerable code appears 
below.

    0x00466C07 mov     al, [esi+ebp]
    0x00466C0A cmp     al, 20h
    0x00466C0C jz      short loc_466C84
    0x00466C0E cmp     al, 9
    0x00466C10 jz      short loc_466C84
    0x00466C12 cmp     al, 0Ah
    0x00466C14 jz      short loc_466C84
    0x00466C16 cmp     al, 0Dh
    0x00466C18 jz      short loc_466C84
    0x00466C1A push    1
    0x00466C1C inc     esi
    0x00466C1D push    1
    0x00466C1F lea     edx, [esi+ebp]   ; heap chunk
    0x00466C22 push    edx              ; readfds
    0x00466C23 mov     ecx, edi
    0x00466C25 call    sub_4645C0       ; recv 1 byte
    0x00466C2A cmp     eax, 0FFFFFFFFh
    0x00466C2D mov     [ebx+272Ch], eax
    0x00466C33 jnz     short loc_466C07 ;loop

Vendor Response:
BakBone has addressed this issue in NetVault Report Manager v3.5 Update4 
available for download from:
 <http://www.bakbone.com/products/downloads/default.asp> 
http://www.bakbone.com/products/downloads/default.asp

Disclosure Timeline:
 * 2007.02.23 - Vulnerability reported to vendor
 * 2007.07.25 - Public release of advisory

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3911> 
CVE-2007-3911


ADDITIONAL INFORMATION

The information has been provided by ZDI.
The original article can be found at:
 <http://www.zerodayinitiative.com/advisories/ZDI-07-044.html> 
http://www.zerodayinitiative.com/advisories/ZDI-07-044.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] BakBone NetVault Reporter Scheduler Heap Overflow Vulnerability, SecuriTeam <=
Previous by Date:  [NEWS] Computer Associates AntiVirus CHM File Handling DoS Vulnerability, SecuriTeam
Next by Date:  [UNIX] libvorbis Multiple Memory Corruption Flaws, SecuriTeam
Previous by Thread:  [NEWS] Computer Associates AntiVirus CHM File Handling DoS Vulnerability, SecuriTeam
Next by Thread:  [UNIX] libvorbis Multiple Memory Corruption Flaws, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]