Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Bopup Communications Server Remote Buffer Overflow Vulnerability

Trustwave recently discovered a remotely exploitable issue in all current versions of "B Labs" Bopup Communications Server. The issues were discovered and confirmed to exist in version 4.5.1.12872 as detailed in the recently posted Trustwave advisory.

Bopup Communications Server runs on ports 19809/tcp and 19810/tcp, the services listening on port 19809/tcp contains a remotely exploitable buffer overflow in handling and parsing of packets prior to authentication. Through this, an attacker can execute arbitrary code on the remote host with the privileges of the Bopup Communication Server, namely SYSTEM. The issue occurs due to a lack of bounds validation in several calls to memcpy with user-definable length with the destination buffer allocated on the stack.

The Vulnerability

The issue was discovered during a concerted effort to reverse engineer the implementation and thus the protocol utilized by the Communications Server. The vulnerability was located in the handling of the outer packet format which is shown below,

[0x00] "\x79\xDF\x32\x01" # magic
[0x04] "\x00\x00\x00\x00" # op code
[0x08] "\x00\x00\x00\x00" # total length
[0x0C] "\x00\x00\x00\x00" # first block length
[0x10] "\x00\x00\x00\x00" # second block length
[0x14] "\x00\x00\x00\x00" # third block length

The issue relates to the handling of the first, second and third blocks of data. The server first reads the header into a structure stored on the stack, all lengths are left in host-byte order. Firstly a buffer is allocated on the heap with a length as defined by the header, 'total length', and said number of bytes is read into the newly allocated buffer from the socket through which the remote user is connected.

00405485 cmp dword [ss:ebp-0x28], ebx ; validate 'total length'
00405488 je 0x40550e
; 'total length' > 0
0040548e push dword [ss:ebp-0x28]
00405491 call sub_422739 ; malloc([ebp-0x28])
00405496 mov esi, eax
00405498 pop ecx
00405499 cmp esi, ebx
0040549b mov dword [ss:ebp-0x34], esi
0040549e je 0x405511

004054a0 mov eax, dword [ss:ebp-0x28]
004054a3 mov ecx, edi
004054a5 mov dword [ss:ebp-0x10], eax
004054a8 lea eax, dword [ss:ebp-0x10]
004054ab push eax
004054ac push esi
004054ad call sub_420e0c ; recv(), 'total-length' bytes
004054b2 test al, al
004054b4 je 0x405511

The server then proceeds to copy the newly read data from the heap allocated buffer to constant sized buffers stored on the stack thereby facilitating a remote buffer overflow.

; validate 'first block length'
004054b6 mov eax, dword [ss:ebp-0x24]
004054b9 cmp eax, ebx

004054bb je 0x4054d1
; 'first block length' > 0
004054bd push eax ; 'first block length'
004054be lea eax, dword [ss:ebp-0x12bc]
004054c4 push esi ; malloc([ebp-0x28])
004054c5 push eax ; ebp-0x12bc
; memcpy(ebp-0x12bc, esi, [ebp-0x24])
004054c6 call sub_421fd0
004054cb mov eax, dword [ss:ebp-0x24]
004054ce add esp, 0xc

The remainder of the buffer, namely the 'op' code value is validated against a maximal value between 0x80 and 0x9D.

00405514 mov ecx, dword [ss:ebp-0x2c]
00405517 lea edx, dword [ds:ecx-0x80]
0040551a cmp edx, 0x1d ; validate op code
0040551d ja 0x4059e3

Vulnerability Fixes

The vendor failed to respond to Trustwave within the permitted time period documented in the Trustwave responsible disclosure procedure despite Trustwave making several attempts to solicit a response. As such, we can confirm that the current and thus latest version of Bopup Communications Server is still vulnerable to the aforementioned vulnerability.

Please see our advisory for full details and proof-of-concept code: TWSL2016-020

Latest SpiderLabs Blogs

Why We Should Probably Stop Visually Verifying Checksums

Hello there! Thanks for stopping by. Let me get straight into it and start things off with what a checksum is to be inclusive of all audiences here, from Wikipedia [1]:

Read More

Agent Tesla's New Ride: The Rise of a Novel Loader

Malware loaders, critical for deploying malware, enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware. Utilizing advanced...

Read More

Evaluating Your Security Posture: Security Assessment Basics

This is Part 4 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More