####################################################################### Luigi Auriemma Application: Borland StarTeam MPX http://www.borland.com/starteam/ Versions: <= 6.7 Platforms: Windows Bugs: A] integer overflow in the calculation of the remaining data B] heap overflow in the handling of the lists C] process termination caused by unallocable memory Exploitation: remote Date: 02 Mar 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org Note: the vulnerabilities are located in a TIBCO dll (SmartSockets) but at the moment I can't verify if the latest versions of this product are vulnerables since the downloads are limited to customers. The only pre-existent advisories I have found about SmartSockets are linked in http://secunia.com/advisories/28490/ but there are no references to the deserialization functions or other detailed informations so for me is impossible to verify if the bugs I have found are the same or not. More informations will be added if and when available. ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's manual: "StarTeamMPX provides a publish/subscribe messaging architecture for StarTeam Server. StarTeamMPX accelerates the velocity of information exchanged between clients and the server by extending the client/server framework." ####################################################################### ======= 2) Bugs ======= ------------------------------------------------------------ A] integer overflow in the calculation of the remaining data ------------------------------------------------------------ All the vulnerabilities I have found are located in the TmsgBufMsgDeserializeEx function used by the STMessageBroker67 and STMulticastService67 processes to deserialize the incoming data. I have focused my tests only on the first service (port 5101) but this deserialization function (tmsg50.dll) is used in the other one too. The protocol is composed by three types of data located in sequential order in each packet: lists, arrays (with a fixed size of 16 bytes) and the remaining data. An integer overflow vulnerability is located in the calculation of the size of the remaining data and can be exploited for example through an amount of arrays lower than how much specified. Anyway the only effect of this bug is the crashing of the service since no arbitrary data can be used to overwrite the server's memory. --------------------------------------------- B] heap overflow in the handling of the lists --------------------------------------------- The lists are composed by an initial 32 bit value which specifies the amount of bytes in the packet occupied by the group of lists and each one of them has a 16 bit size value followed by the amount of data declared in it. The server performs no checks on the size of the destination buffer allowing an attacker to exploit the subsequent heap overflow for crashing the service or possibly executing malicious code. --------------------------------------------------- C] process termination caused by unallocable memory --------------------------------------------------- Another bug similar to the first one is located in the instructions which calculate the amount of data to allocate: size of the packet - size of the lists - number of arrays * 16 - size of the header The result is the termination of the server due the impossibility of allocating a so big amount of memory. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/starteammpx.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################