Landesk Management Suite Alert Service Stack Overflow Vulnerability
TPTI-07-04: April 13th, 2007CVE ID
Affected Vendors
Affected Products
TippingPoint™ IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 5210. For further product information on the TippingPoint IPS:Vulnerability Details
This vulnerability allows attackers to execute arbitrary code on vulnerable installations of LANDesk Management Suite. User interaction is not required to exploit this vulnerability.The specific flaw exists in the Alert Service listening on UDP port 65535. The Aolnsrvr.exe process accepts user-supplied data and performs an inline memory copy into a 268 byte stack-based buffer. Supplying additional data results in a buffer overflow and SEH overwrite. The vulnerable memory copy is shown here:
0041EF49 mov edi, eax ; edi pointer to stack buffer
0041EF4B mov eax, ecx
0041EF4D shr ecx, 2 ; total size of data
0041EF50 rep movsd
0041EF52 mov ecx, eax
0041EF54 mov eax, ebx
0041EF56 and ecx, 3
0041EF59 rep movsb
Exploitation allows an attacker to execute arbitrary code under the context of the SYSTEM user.
Vendor Response
LANDesk has issued an update to correct this vulnerability. More details can be found at:Disclosure Timeline
-
2007-03-08 - Vulnerability reported to vendor
2007-04-13 - Coordinated public release of advisory
