← Advisories

Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities

High

Advisory ID

ZSL-2016-5327

Release Date

26 May 2016

Vendor

Micro Focus - https://www.microfocus.com

Affected Version

9.4.4058.0 and 9.4.0 SP0 Patch0

CVE

CVE-2016-1606, CVE-2016-5228

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Microsoft Windows 7 Professional SP1 (EN), Microsoft Windows 7 Enterprise SP1 (EN)

Summary

Rumba is a terminal emulation solution with UI (User Interface) modernization properties. Rumba and Rumba+ allows users to connect to so-called 'legacy systems' (typically a mainframe) via desktop, web and mobile.

Description

Rumba+ software package suffers from multiple stack buffer overflow vulnerabilities when parsing large amount of bytes to several functions in several OLE controls. An attacker can gain access to the system of the affected node and execute arbitrary code.

(1d78.52c): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SysWOW64\ntdll.dll -
eax=00000000 ebx=45454545 ecx=74d72a9c edx=42424242 esi=0032ddc0 edi=00000000
eip=770a15fe esp=0032dd58 ebp=0032ddac iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!NtRaiseException+0x12:
770a15fe 83c404          add     esp,4
0:000> !exchain
0032e7cc: 45454545
Invalid exception stack at 44444444
0:000> d 0032e7cc
0032e7cc  44 44 44 44 45 45 45 45-43 43 43 43 43 43 43 43  DDDDEEEECCCCCCCC
0032e7dc  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0032e7ec  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0032e7fc  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0032e80c  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0032e81c  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0032e82c  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0032e83c  43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43  CCCCCCCCCCCCCCCC
0:000> kb
ChildEBP RetAddr  Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0032ddac 77147415 0032ddc0 0032de10 00000000 ntdll!NtRaiseException+0x12
0032e0e0 7711071a 45454545 fffffffe fffffffe ntdll!RtlRemoteCall+0x236
0032e130 770db3f5 45454545 0000004d 0032e82c ntdll!RtlUlonglongByteSwap+0x1327a
0032e1b0 77090133 0032e1c8 0032e218 0032e1c8 ntdll!LdrRemoveLoadAsDataTable+0xcac
0032e7b0 41414141 42424242 43434343 43434343 ntdll!KiUserExceptionDispatcher+0xf
0032e7b4 42424242 43434343 43434343 43434343 0x41414141
0032e7b8 43434343 43434343 43434343 43434343 0x42424242
0032e7bc 43434343 43434343 43434343 44444444 0x43434343
0032e7c0 43434343 43434343 44444444 45454545 0x43434343
0032e7c4 43434343 44444444 45454545 43434343 0x43434343
0032e7c8 44444444 45454545 43434343 43434343 0x43434343
0032e7cc 45454545 43434343 43434343 43434343 0x44444444
0032e7d0 43434343 43434343 43434343 43434343 0x45454545
0032e7d4 43434343 43434343 43434343 43434343 0x43434343
0032e7d8 43434343 43434343 43434343 43434343 0x43434343
0032e7dc 43434343 43434343 43434343 43434343 0x43434343

Proof of Concept

rumba_bof.txtTXT

Disclosure Timeline

03.02.2016Vulnerability discovered.

13.02.2016Vendor contacted.

25.05.2016No response from the vendor.

26.05.2016Public security advisory released.

30.06.2016Vendor releases Rumba 9.4 (HF 13960), Rumba 9.4 (HF 12815) and 9.3 (HF 11997) to address these issues.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/39857/