Zero Science Lab » Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities

Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities

Title: Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities
Advisory ID: ZSL-2016-5327
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 26.05.2016

Summary

Rumba is a terminal emulation solution with UI (User Interface) modernization properties. Rumba and Rumba+ allows users to connect to so-called 'legacy systems' (typically a mainframe) via desktop, web and mobile.

Description

Rumba+ software package suffers from multiple stack buffer overflow vulnerabilities when parsing large amount of bytes to several functions in several OLE controls. An attacker can gain access to the system of the affected node and execute arbitrary code.

--------------------------------------------------------------------------------


(1d78.52c): Access violation - code c0000005 (!!! second chance !!!)

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SysWOW64\ntdll.dll - 

eax=00000000 ebx=45454545 ecx=74d72a9c edx=42424242 esi=0032ddc0 edi=00000000

eip=770a15fe esp=0032dd58 ebp=0032ddac iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246

ntdll!NtRaiseException+0x12:

770a15fe 83c404          add     esp,4

0:000> !exchain

0032e7cc: 45454545

Invalid exception stack at 44444444

0:000> d 0032e7cc

0032e7cc  44 44 44 44 45 45 45 45-43 43 43 43 43 43 43 43  DDDDEEEECCCCCCCC

0032e7dc  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC

0032e7ec  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC

0032e7fc  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC

0032e80c  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC

0032e81c  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC

0032e82c  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC

0032e83c  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC

0:000> kb

ChildEBP RetAddr  Args to Child

WARNING: Stack unwind information not available. Following frames may be wrong.

0032ddac 77147415 0032ddc0 0032de10 00000000 ntdll!NtRaiseException+0x12

0032e0e0 7711071a 45454545 fffffffe fffffffe ntdll!RtlRemoteCall+0x236

0032e130 770db3f5 45454545 0000004d 0032e82c ntdll!RtlUlonglongByteSwap+0x1327a

0032e1b0 77090133 0032e1c8 0032e218 0032e1c8 ntdll!LdrRemoveLoadAsDataTable+0xcac

0032e7b0 41414141 42424242 43434343 43434343 ntdll!KiUserExceptionDispatcher+0xf

0032e7b4 42424242 43434343 43434343 43434343 0x41414141

0032e7b8 43434343 43434343 43434343 43434343 0x42424242

0032e7bc 43434343 43434343 43434343 44444444 0x43434343

0032e7c0 43434343 43434343 44444444 45454545 0x43434343

0032e7c4 43434343 44444444 45454545 43434343 0x43434343

0032e7c8 44444444 45454545 43434343 43434343 0x43434343

0032e7cc 45454545 43434343 43434343 43434343 0x44444444

0032e7d0 43434343 43434343 43434343 43434343 0x45454545

0032e7d4 43434343 43434343 43434343 43434343 0x43434343

0032e7d8 43434343 43434343 43434343 43434343 0x43434343

0032e7dc 43434343 43434343 43434343 43434343 0x43434343

--------------------------------------------------------------------------------

Vendor

Micro Focus - https://www.microfocus.com

Affected Version

9.4.4058.0 and 9.4.0 SP0 Patch0

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Enterprise SP1 (EN)

Vendor Status

[03.02.2016] Vulnerability discovered.
[13.02.2016] Vendor contacted.
[25.05.2016] No response from the vendor.
[26.05.2016] Public security advisory released.
[30.06.2016] Vendor releases Rumba 9.4 (HF 13960), Rumba 9.4 (HF 12815) and 9.3 (HF 11997) to address these issues.

PoC

rumba_bof.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.exploit-db.com/exploits/39857/
[2] https://cxsecurity.com/issue/WLB-2016050136
[3] https://packetstormsecurity.com/files/137205
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/113527
[5] http://www.vfocus.net/art/20160530/12710.html
[6] http://microfocus.com/mainframe_solutions/rumba/w/kb/28601.rumba-9-4-stack-bof-vuln.aspx
[7] http://microfocus.com/mainframe_solutions/rumba/w/kb/28600.mf-rumba-9-x-sec-update.aspx
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1606
[9] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1606
[10] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5228
[11] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5228
[12] http://www.securiteam.com/securitynews/5NP3I00J6U.html
[13] https://www.us-cert.gov/ncas/bulletins/SB16-193
[14] http://www.securityfocus.com/bid/91559

Changelog

[26.05.2016] - Initial release
[27.05.2016] - Added reference [2]
[28.05.2016] - Added reference [3] and [4]
[14.06.2016] - Added reference [5]
[30.06.2016] - Added vendor status and reference [6], [7], [8], [9], [10] and [11]
[25.07.2016] - Added reference [12], [13] and [14]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk