Vulnerabilities > CVE-2008-0311 - Buffer Errors vulnerability in Borland Caliberrm 2006

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
borland
CWE-119
critical
exploit available
metasploit

Summary

Stack-based buffer overflow in the PGMWebHandler::parse_request function in the StarTeam Multicast Service component (STMulticastService) 6.4 in Borland CaliberRM 2006 allows remote attackers to execute arbitrary code via a large HTTP request.

Vulnerable Configurations

Part Description Count
Application
Borland
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionBorland CaliberRM StarTeam Multicast Service Buffer Overflow. CVE-2008-0311. Remote exploit for windows platform
idEDB-ID:16434
last seen2016-02-01
modified2010-06-15
published2010-06-15
reportermetasploit
sourcehttps://www.exploit-db.com/download/16434/
titleBorland CaliberRM StarTeam Multicast Service Buffer Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in Borland CaliberRM 2006. By sending a specially crafted GET request to the STMulticastService, an attacker may be able to execute arbitrary code.
idMSF:EXPLOIT/WINDOWS/MISC/BORLAND_STARTEAM
last seen2020-06-12
modified2017-07-24
published2008-06-01
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0311
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/borland_starteam.rb
titleBorland CaliberRM StarTeam Multicast Service Buffer Overflow

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83121/borland_starteam.rb.txt
idPACKETSTORM:83121
last seen2016-12-05
published2009-11-26
reporterMC
sourcehttps://packetstormsecurity.com/files/83121/Borland-CaliberRM-StarTeam-Multicast-Service-Buffer-Overflow.html
titleBorland CaliberRM StarTeam Multicast Service Buffer Overflow

Saint

bid28602
descriptionBorland StarTeam Multicast Service parse_request buffer overflow
idweb_tool_starteam_multihttpbo
osvdb44039
titlestarteam_multicast_parse_request
typeremote

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 28602 CVE(CAN) ID: CVE-2008-0311 Borland CaliberRM是Borland所捆绑的开发部署解决方案中的企业软件要求管理软件。 CaliberRM的实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制服务器。 CaliberRM的StarTeam多播服务组件(STMulticastService)包含有有漏洞的函数PGMWebHandler::parse_request: .text:003AA15D call PGMWebHandler::parse_request(char const *,uint,char *,uint,http_request_info_t&amp;) ... .text:003AA35E loc_3AA35E: .text:003AA35E mov al, [ebx] .text:003AA360 cmp al, 0Ah .text:003AA362 mov [edx], al ; edx points to the stack, overflowable because of the loop .text:003AA364 jnz loc_3AA4EF ... .text:003AA36A mov byte ptr [edx+1], 0 .text:003AA36E mov al, byte ptr [esp+618h+lbuff] .text:003AA372 cmp al, 0Dh .text:003AA374 jz loc_3AA509 ... .text:003AA4F0 loc_3AA4F0: .text:003AA4F0 mov eax, [esp+618h+count] .text:003AA4F4 mov ecx, [esp+618h+req_len] .text:003AA4FB inc ebx .text:003AA4FC inc eax .text:003AA4FD cmp eax, ecx .text:003AA4FF mov [esp+618h+count], eax .text:003AA503 jl loc_3AA35E ; loop back up 在搜索结束HTTP请求的标准0x0a0d时,一个循环将攻击者所提供的数据逐个拷贝到了固定大小的栈缓冲区。如果发送了足够大的请求的话,就可能覆盖返回地址、SEH指针和其他栈上数据。 Borland CaliberRM 2006 9.0.809.000 临时解决方法: * 禁用多播服务的监听端口: 1 停止StarTeam多播服务 2 导航到Message Broker安装下的\Standard子目录 3 在文本编辑器中打开pgmopts.def文件 4 找到带有monitor_port字符串的行,应类似于: createopt pgmmap_monitor_port str_list pgm_monitor_port,monitor_port createopt pgm_monitor_port numeric 3057 5 如下更改这些定义行: createopt pgmmap_monitor_port str_list pgm_monitor_port,monitor_port createopt pgm_monitor_port numeric 0 6 保存更改 7 重启StarTeam多播服务 厂商补丁: Borland ------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://www.borland.com/ target=_blank>http://www.borland.com/</a>
idSSV:3126
last seen2017-11-19
modified2008-04-09
published2008-04-09
reporterRoot
titleBorland StarTeam Multicast服务GMWebHandler::parse_request()栈溢出漏洞