Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities Vendor: Micro Focus Product web page: https://www.microfocus.com Affected version: 9.4.4058.0 and 9.4.0 SP0 Patch0 Affected products/tools : Rumba Desktop 9.4 Rumba 9.4 Trace Rumba 9.4 APPC Configuration Rumba 9.4 AS400 Communications Rumba 9.4 AS400 File Transfer Rumba 9.4 Communication Monitor Rumba 9.4 Engine Rumba 9.4 Screen Designer Rumba 9.4 Submit Remote Command ;] Rumba FTP Client 4.5 Summary: Rumba is a terminal emulation solution with UI (User Interface) modernization properties. Rumba and Rumba+ allows users to connect to so-called 'legacy systems' (typically a mainframe) via desktop, web and mobile. Desc: Rumba+ software package suffers from multiple stack buffer overflow vulnerabilities when parsing large amount of bytes to several functions in several OLE controls. An attacker can gain access to the system of the affected node and execute arbitrary code. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Enterprise SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5327 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5327.php 03.02.2016 -- ---------------------------- 1. MacroName (WdMacCtl.ocx): ---------------------------- === (1d78.52c): Access violation - code c0000005 (!!! second chance !!!) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\ntdll.dll - eax=00000000 ebx=45454545 ecx=74d72a9c edx=42424242 esi=0032ddc0 edi=00000000 eip=770a15fe esp=0032dd58 ebp=0032ddac iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!NtRaiseException+0x12: 770a15fe 83c404 add esp,4 0:000> !exchain 0032e7cc: 45454545 Invalid exception stack at 44444444 0:000> d 0032e7cc 0032e7cc 44 44 44 44 45 45 45 45-43 43 43 43 43 43 43 43 DDDDEEEECCCCCCCC 0032e7dc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 0032e7ec 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 0032e7fc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 0032e80c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 0032e81c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 0032e82c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 0032e83c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0032ddac 77147415 0032ddc0 0032de10 00000000 ntdll!NtRaiseException+0x12 0032e0e0 7711071a 45454545 fffffffe fffffffe ntdll!RtlRemoteCall+0x236 0032e130 770db3f5 45454545 0000004d 0032e82c ntdll!RtlUlonglongByteSwap+0x1327a 0032e1b0 77090133 0032e1c8 0032e218 0032e1c8 ntdll!LdrRemoveLoadAsDataTable+0xcac 0032e7b0 41414141 42424242 43434343 43434343 ntdll!KiUserExceptionDispatcher+0xf 0032e7b4 42424242 43434343 43434343 43434343 0x41414141 0032e7b8 43434343 43434343 43434343 43434343 0x42424242 0032e7bc 43434343 43434343 43434343 44444444 0x43434343 0032e7c0 43434343 43434343 44444444 45454545 0x43434343 0032e7c4 43434343 44444444 45454545 43434343 0x43434343 0032e7c8 44444444 45454545 43434343 43434343 0x43434343 0032e7cc 45454545 43434343 43434343 43434343 0x44444444 0032e7d0 43434343 43434343 43434343 43434343 0x45454545 0032e7d4 43434343 43434343 43434343 43434343 0x43434343 0032e7d8 43434343 43434343 43434343 43434343 0x43434343 0032e7dc 43434343 43434343 43434343 43434343 0x43434343 ----------------------------- 2. NetworkName (iconfig.dll): ----------------------------- === STATUS_STACK_BUFFER_OVERRUN encountered (2958.3e0): Break instruction exception - code 80000003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\kernel32.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\MSVCR120.dll - eax=00000000 ebx=616c4480 ecx=76280484 edx=003ee021 esi=00000000 edi=003ee794 eip=76280265 esp=003ee268 ebp=003ee2e4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 kernel32!GetProfileStringW+0x12cc9: 76280265 cc int 3 .. 0:000> d esp+400 003ee668 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 003ee678 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 003ee688 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 003ee698 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 003ee6a8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 003ee6b8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 003ee6c8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 003ee6d8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 0:000> u kernel32!GetProfileStringW+0x12cc9: 76280265 cc int 3 76280266 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh 7628026d e9c574feff jmp kernel32!UnhandledExceptionFilter+0x40 (76267737) 76280272 33c0 xor eax,eax 76280274 40 inc eax 76280275 c3 ret 76280276 8b65e8 mov esp,dword ptr [ebp-18h] 76280279 68090400c0 push 0C0000409h 0:000> dds 003ee6e8 42424242 003ee6ec 42424242 003ee6f0 42424242 003ee6f4 42424242 003ee6f8 42424242 003ee6fc 42424242 003ee700 42424242 003ee704 42424242 003ee708 42424242 003ee70c 42424242 003ee710 42424242 003ee714 42424242 003ee718 42424242 003ee71c 42424242 003ee720 42424242 003ee724 42424242 003ee728 42424242 003ee72c 42424242 003ee730 42424242 003ee734 42424242 003ee738 42424242 003ee73c 42424242 003ee740 1e4cd74b 003ee744 003ec760 003ee748 7594d140 OLEAUT32!DispCallFunc+0xa6 003ee74c 006a191c 003ee750 02f50024 003ee754 006a1a7c 003ee758 001df530 003ee75c 003ee754 003ee760 003ee7f0 003ee764 7594cfba OLEAUT32!VarCmp+0xd35 ------------------------ 3. CPName (iconfig.dll): ------------------------ ------------------------------ 4. PrinterName (ProfEdit.dll): ------------------------------ === (23f4.4c2c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll - eax=baadf00d ebx=5fab4b10 ecx=baadf00d edx=003857b8 esi=0030e7b8 edi=0030e66c eip=5fa63a60 esp=0030e5fc ebp=0030e604 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 ProfEdit+0x13a60: 5fa63a60 c6808401000000 mov byte ptr [eax+184h],0 ds:002b:baadf191=?? ---------------------- 5. Data (FtxBIFF.dll): ---------------------- === (1164.1dd4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\AS400\FtxBIFF.dll - eax=00000000 ebx=56c0a928 ecx=757bd0c4 edx=fffff000 esi=baadf00d edi=0036eba8 eip=56bf3011 esp=0033ddc8 ebp=0033ddd4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 FtxBIFF+0x3011: 56bf3011 837e2020 cmp dword ptr [esi+20h],20h ds:002b:baadf02d=???????? 0:000> d esp 0033ddc8 f0 dd 33 00 0d f0 ad ba-0d f0 ad ba 48 eb 36 00 ..3.........H.6. 0033ddd8 2c 83 bf 56 02 00 00 00-03 00 00 00 00 00 00 00 ,..V............ 0033dde8 f0 dd 33 00 40 eb 36 00-41 41 41 41 41 41 41 41 ..3.@.6.AAAAAAAA 0033ddf8 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0033de08 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0033de18 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0033de28 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0033de38 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA ----------------------------------- 6. Serialized (NMSecComParams.dll): ----------------------------------- === (1508.1a9c): Stack overflow - code c00000fd (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\OLEAUT32.dll - eax=00362000 ebx=1003efa0 ecx=001d369c edx=0045e600 esi=0045e8b0 edi=0045e6d4 eip=100366b7 esp=0045e640 ebp=0045e684 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 NMSecComParams!DllUnregisterServer+0x4617: 100366b7 8500 test dword ptr [eax],eax ds:002b:00362000=00000000 --------------------------------- 7. UserName (NMSecComParams.dll): --------------------------------- === (1620.16bc): Stack overflow - code c00000fd (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\OLEAUT32.dll - eax=000d2000 ebx=1003edd0 ecx=00000000 edx=003e390a esi=001ceba8 edi=001cea5c eip=100366b7 esp=001ce9e4 ebp=001cea0c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 NMSecComParams!DllUnregisterServer+0x4617: 100366b7 8500 test dword ptr [eax],eax ds:002b:000d2000=00000000 ------------------------- 8. LUName (ProfEdit.dll): ------------------------- === (f10.1cb8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll - eax=baadf00d ebx=55944ba4 ecx=baadf00d edx=005c32b0 esi=0022e738 edi=0022e5ec eip=558f3a60 esp=0022e578 ebp=0022e580 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 ProfEdit+0x13a60: 558f3a60 c6808401000000 mov byte ptr [eax+184h],0 ds:002b:baadf191=?? ------------------------- 9. newVal (FTPSFtp.dll): ------------------------- === STATUS_STACK_BUFFER_OVERRUN encountered (608.f74): Break instruction exception - code 80000003 (first chance) *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\MSVCR120.dll - eax=00000000 ebx=10027e44 ecx=757d047c edx=0039dc45 esi=00000000 edi=0039e594 eip=757d025d esp=0039de8c ebp=0039df08 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 kernel32!GetProfileStringW+0x12cc1: 757d025d cc int 3 ---------------------- 10. Host (FTP Client): ---------------------- For the RUMBA FTP Client PoC, copy ~300 bytes array and paste it in the Host field when creating a new session.