####################################################################### Luigi Auriemma Application: 3com / H3C Intelligent Management Center (IMC) http://www.3com.com/IMC_Enterprise/ Versions: <= 3.3 SP2 R2606P13 Platforms: Windows, Linux, Solaris Bug: stack overflow in img.exe Exploitation: remote, versus server Date: probably found 19 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "3ComŽ Intelligent Management Center (IMC) Enterprise Edition is a self-contained comprehensive management solution, flexible and scalable enough to meet the needs of advanced Enterprise networks." The suite is also known under the vendors HP and H3C (the original developer). ####################################################################### ====== 2) Bug ====== img.exe is a service running on port 8800 and available in the default configuration of IMC. The service is affected by a stack buffer-overflow located in the function that handles the main header of the data at address 004080f7 where it expects 4 bytes (the 32bit integer of the master flags) while it can receive till 0xffff bytes of data. Note that on Windows the "stack canary" doesn't allow the execution of code (Denial of Service only) so only Solaris and Linux are affected by this vulnerability. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/imc_5.zip ####################################################################### ====== 4) Fix ====== http://www.zerodayinitiative.com/advisories/ZDI-11-160 #######################################################################