New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for ZDI-14-160 Ericom AccessNow Server Buffer Overflow #3460
Conversation
I got this |
@jvazquez-r7 Win2k3 to avoid ASLR issues? |
'Name' => 'Ericom AccessNow Server Buffer Overflow', | ||
'Description' => %q{ | ||
This module exploits a stack based buffer overflow in Ericom AccessNow Server. The | ||
vulnerability is due to an insecure usage of vsprintf with used controlled data, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"user controlled data", not "used controlled data" -- I can cleanup on landing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks!
@kernelsmith yup :( hard to make it happen with aslr enabled with just this vuln I think, since data is appended after the controlled data, looks hard to work with least significant bytes overwrite to bypass ASLR here. Any ideas to bypass ASLR here with this vuln? I'm happy of investing more time if there are proposals! thanks for reviewing! |
I shall leave this baby to @kernelsmith :) |
@jvazquez-r7 I have the pre-patch ver 3.x installer if you want it. I'll take a look into the ASLR issue, but not before I land this. Also, the vuln in 2.4 looks different from the one in 3.x, so I think technically this isn't the same as the one listed by ZDI, but whatever. I'll also look at porting it to 3.x and maybe we can keep it all in one module. BTW, working on XP:
|
working on 2k3 as well, landing
|
y u no close as merged PR? |
Troll gods. |
@kernelsmith, I fixed the typo by myself on this commit: jvazquez-r7@f622a3a but you didn't land this last commit, and fixed the typo by yourself. Because of that this pull request has not been closed. You can make github close it by landing the forgiven commit :) |
@kernelsmith indeed the ZDI advisory is a little bit confusing in my opinion: |
@kernelsmith if you could share the pre-patched binary for version 3 it would be cool =) I couldn't find it on the vendor homepage :( Looks like there aren't vulnerable 3 installers anymove in the vendor page. I'd be happy of confirm my feelings about the vulnerability root cause on version 3 and sharing my opinion :) |
This advisory does not apply to 2.4, only 3.1. The vuln in 2.4 is a separate vuln. The vuln in 3.1 may be a failed patch for the vuln in 2.4, I haven’t looked at 2.4 yet. On Jun 17, 2014, at 11:20 PM, Juan Vazquez notifications@github.com wrote:
|
You did it! great work @kernelsmith ! :D |
Tested successfully on Win2003 SP2 and Ericom AccessNow Server 2.4.0.2.
Verification