####################################################################### Luigi Auriemma Application: Borland VisiBroker Smart Agent http://www.borland.com/visibroker/ Versions: <= 08.00.00.C1.03 Platforms: Windows Bug: heap overflow Exploitation: remote Date: 03 Mar 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== >From vendor's website: "Borland® VisiBroker® is the most widely deployed CORBA ORB infrastructure product on the market, with more than 30 million licenses in use. Its robust CORBA-based environment makes it ideal for developing and deploying distributed computing applications." Smart Agent (osagent.exe) is a program which provides ORB object location and failure detection services, it's an essential component for allowing remote and local administrators (Borland VisiBroker Console) to manage and locate the servers in the domain. ####################################################################### ====== 2) Bug ====== Smart Agent binds the UDP port 14000 and an UDP and TCP port which changes at every launch (the first free ports to bind found by the program). The protocol used on these three ports (so all exploitables) includes the handling of strings that are composed by a 32 bit number which tells how much long is the string and a subsequent 32 bit number which specifies the size in the packet padded to 8. It's enough to set 0xffffffff as first number to cause the allocation of 0 bytes of memory (0xffffffff + 1) and the subsequent usage of strncpy(allocated_memory, our_string, our_padded_size) which can allow an attacker to crash the service or possibly executing malicious code. Exists also a secondary minor vulnerability, in fact the server is automatically terminated if the amount of memory specified by the client can't be allocated. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/visibroken.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org