Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities
Title: Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities
Advisory ID: ZSL-2016-5327
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 26.05.2016
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Enterprise SP1 (EN)
[13.02.2016] Vendor contacted.
[25.05.2016] No response from the vendor.
[26.05.2016] Public security advisory released.
[30.06.2016] Vendor releases Rumba 9.4 (HF 13960), Rumba 9.4 (HF 12815) and 9.3 (HF 11997) to address these issues.
[2] https://cxsecurity.com/issue/WLB-2016050136
[3] https://packetstormsecurity.com/files/137205
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/113527
[5] http://www.vfocus.net/art/20160530/12710.html
[6] http://microfocus.com/mainframe_solutions/rumba/w/kb/28601.rumba-9-4-stack-bof-vuln.aspx
[7] http://microfocus.com/mainframe_solutions/rumba/w/kb/28600.mf-rumba-9-x-sec-update.aspx
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1606
[9] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1606
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5228
[11] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5228
[12] http://www.securiteam.com/securitynews/5NP3I00J6U.html
[13] https://www.us-cert.gov/ncas/bulletins/SB16-193
[14] http://www.securityfocus.com/bid/91559
[27.05.2016] - Added reference [2]
[28.05.2016] - Added reference [3] and [4]
[14.06.2016] - Added reference [5]
[30.06.2016] - Added vendor status and reference [6], [7], [8], [9], [10] and [11]
[25.07.2016] - Added reference [12], [13] and [14]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5327
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 26.05.2016
Summary
Rumba is a terminal emulation solution with UI (User Interface) modernization properties. Rumba and Rumba+ allows users to connect to so-called 'legacy systems' (typically a mainframe) via desktop, web and mobile.Description
Rumba+ software package suffers from multiple stack buffer overflow vulnerabilities when parsing large amount of bytes to several functions in several OLE controls. An attacker can gain access to the system of the affected node and execute arbitrary code.--------------------------------------------------------------------------------
(1d78.52c): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\ntdll.dll -
eax=00000000 ebx=45454545 ecx=74d72a9c edx=42424242 esi=0032ddc0 edi=00000000
eip=770a15fe esp=0032dd58 ebp=0032ddac iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!NtRaiseException+0x12:
770a15fe 83c404 add esp,4
0:000> !exchain
0032e7cc: 45454545
Invalid exception stack at 44444444
0:000> d 0032e7cc
0032e7cc 44 44 44 44 45 45 45 45-43 43 43 43 43 43 43 43 DDDDEEEECCCCCCCC
0032e7dc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e7ec 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e7fc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e80c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e81c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e82c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e83c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0032ddac 77147415 0032ddc0 0032de10 00000000 ntdll!NtRaiseException+0x12
0032e0e0 7711071a 45454545 fffffffe fffffffe ntdll!RtlRemoteCall+0x236
0032e130 770db3f5 45454545 0000004d 0032e82c ntdll!RtlUlonglongByteSwap+0x1327a
0032e1b0 77090133 0032e1c8 0032e218 0032e1c8 ntdll!LdrRemoveLoadAsDataTable+0xcac
0032e7b0 41414141 42424242 43434343 43434343 ntdll!KiUserExceptionDispatcher+0xf
0032e7b4 42424242 43434343 43434343 43434343 0x41414141
0032e7b8 43434343 43434343 43434343 43434343 0x42424242
0032e7bc 43434343 43434343 43434343 44444444 0x43434343
0032e7c0 43434343 43434343 44444444 45454545 0x43434343
0032e7c4 43434343 44444444 45454545 43434343 0x43434343
0032e7c8 44444444 45454545 43434343 43434343 0x43434343
0032e7cc 45454545 43434343 43434343 43434343 0x44444444
0032e7d0 43434343 43434343 43434343 43434343 0x45454545
0032e7d4 43434343 43434343 43434343 43434343 0x43434343
0032e7d8 43434343 43434343 43434343 43434343 0x43434343
0032e7dc 43434343 43434343 43434343 43434343 0x43434343
--------------------------------------------------------------------------------
Vendor
Micro Focus - https://www.microfocus.comAffected Version
9.4.4058.0 and 9.4.0 SP0 Patch0Tested On
Microsoft Windows 7 Ultimate SP1 (EN)Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Enterprise SP1 (EN)
Vendor Status
[03.02.2016] Vulnerability discovered.[13.02.2016] Vendor contacted.
[25.05.2016] No response from the vendor.
[26.05.2016] Public security advisory released.
[30.06.2016] Vendor releases Rumba 9.4 (HF 13960), Rumba 9.4 (HF 12815) and 9.3 (HF 11997) to address these issues.
PoC
rumba_bof.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://www.exploit-db.com/exploits/39857/[2] https://cxsecurity.com/issue/WLB-2016050136
[3] https://packetstormsecurity.com/files/137205
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/113527
[5] http://www.vfocus.net/art/20160530/12710.html
[6] http://microfocus.com/mainframe_solutions/rumba/w/kb/28601.rumba-9-4-stack-bof-vuln.aspx
[7] http://microfocus.com/mainframe_solutions/rumba/w/kb/28600.mf-rumba-9-x-sec-update.aspx
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1606
[9] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1606
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5228
[11] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5228
[12] http://www.securiteam.com/securitynews/5NP3I00J6U.html
[13] https://www.us-cert.gov/ncas/bulletins/SB16-193
[14] http://www.securityfocus.com/bid/91559
Changelog
[26.05.2016] - Initial release[27.05.2016] - Added reference [2]
[28.05.2016] - Added reference [3] and [4]
[14.06.2016] - Added reference [5]
[30.06.2016] - Added vendor status and reference [6], [7], [8], [9], [10] and [11]
[25.07.2016] - Added reference [12], [13] and [14]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk