Trustwave recently discovered a remotely exploitable issue in all current versions of "B Labs" Bopup Communications Server. The issues were discovered and confirmed to exist in version 4.5.1.12872 as detailed in the recently posted Trustwave advisory.
Bopup Communications Server runs on ports 19809/tcp and 19810/tcp, the services listening on port 19809/tcp contains a remotely exploitable buffer overflow in handling and parsing of packets prior to authentication. Through this, an attacker can execute arbitrary code on the remote host with the privileges of the Bopup Communication Server, namely SYSTEM. The issue occurs due to a lack of bounds validation in several calls to memcpy with user-definable length with the destination buffer allocated on the stack.
The Vulnerability
The issue was discovered during a concerted effort to reverse engineer the implementation and thus the protocol utilized by the Communications Server. The vulnerability was located in the handling of the outer packet format which is shown below,
[0x00] "\x79\xDF\x32\x01" # magic
[0x04] "\x00\x00\x00\x00" # op code
[0x08] "\x00\x00\x00\x00" # total length
[0x0C] "\x00\x00\x00\x00" # first block length
[0x10] "\x00\x00\x00\x00" # second block length
[0x14] "\x00\x00\x00\x00" # third block length
The issue relates to the handling of the first, second and third blocks of data. The server first reads the header into a structure stored on the stack, all lengths are left in host-byte order. Firstly a buffer is allocated on the heap with a length as defined by the header, 'total length', and said number of bytes is read into the newly allocated buffer from the socket through which the remote user is connected.
00405485 cmp dword [ss:ebp-0x28], ebx ; validate 'total length'
00405488 je 0x40550e
; 'total length' > 0
0040548e push dword [ss:ebp-0x28]
00405491 call sub_422739 ; malloc([ebp-0x28])
00405496 mov esi, eax
00405498 pop ecx
00405499 cmp esi, ebx
0040549b mov dword [ss:ebp-0x34], esi
0040549e je 0x405511
004054a0 mov eax, dword [ss:ebp-0x28]
004054a3 mov ecx, edi
004054a5 mov dword [ss:ebp-0x10], eax
004054a8 lea eax, dword [ss:ebp-0x10]
004054ab push eax
004054ac push esi
004054ad call sub_420e0c ; recv(), 'total-length' bytes
004054b2 test al, al
004054b4 je 0x405511
The server then proceeds to copy the newly read data from the heap allocated buffer to constant sized buffers stored on the stack thereby facilitating a remote buffer overflow.
; validate 'first block length'
004054b6 mov eax, dword [ss:ebp-0x24]
004054b9 cmp eax, ebx
004054bb je 0x4054d1
; 'first block length' > 0
004054bd push eax ; 'first block length'
004054be lea eax, dword [ss:ebp-0x12bc]
004054c4 push esi ; malloc([ebp-0x28])
004054c5 push eax ; ebp-0x12bc
; memcpy(ebp-0x12bc, esi, [ebp-0x24])
004054c6 call sub_421fd0
004054cb mov eax, dword [ss:ebp-0x24]
004054ce add esp, 0xc
The remainder of the buffer, namely the 'op' code value is validated against a maximal value between 0x80 and 0x9D.
00405514 mov ecx, dword [ss:ebp-0x2c]
00405517 lea edx, dword [ds:ecx-0x80]
0040551a cmp edx, 0x1d ; validate op code
0040551d ja 0x4059e3
Vulnerability Fixes
The vendor failed to respond to Trustwave within the permitted time period documented in the Trustwave responsible disclosure procedure despite Trustwave making several attempts to solicit a response. As such, we can confirm that the current and thus latest version of Bopup Communications Server is still vulnerable to the aforementioned vulnerability.
Please see our advisory for full details and proof-of-concept code: TWSL2016-020
