Borland VisiBroker Smart Agent versions 08.00.00.C1.03 and below suffer from a heap overflow vulnerability.
eaa8cfd6dea2e6d563d07003ca0a81015be547bd9c95a51d12516cb10949afe4
#######################################################################
Luigi Auriemma
Application: Borland VisiBroker Smart Agent
http://www.borland.com/visibroker/
Versions: <= 08.00.00.C1.03
Platforms: Windows
Bug: heap overflow
Exploitation: remote
Date: 03 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
>From vendor's website:
"Borland® VisiBroker® is the most widely deployed CORBA ORB
infrastructure product on the market, with more than 30 million
licenses in use. Its robust CORBA-based environment makes it ideal for
developing and deploying distributed computing applications."
Smart Agent (osagent.exe) is a program which provides ORB object
location and failure detection services, it's an essential component
for allowing remote and local administrators (Borland VisiBroker
Console) to manage and locate the servers in the domain.
#######################################################################
======
2) Bug
======
Smart Agent binds the UDP port 14000 and an UDP and TCP port which
changes at every launch (the first free ports to bind found by the
program).
The protocol used on these three ports (so all exploitables) includes
the handling of strings that are composed by a 32 bit number which
tells how much long is the string and a subsequent 32 bit number which
specifies the size in the packet padded to 8.
It's enough to set 0xffffffff as first number to cause the allocation
of 0 bytes of memory (0xffffffff + 1) and the subsequent usage of
strncpy(allocated_memory, our_string, our_padded_size) which can allow
an attacker to crash the service or possibly executing malicious code.
Exists also a secondary minor vulnerability, in fact the server is
automatically terminated if the amount of memory specified by the
client can't be allocated.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/visibroken.zip
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed