Thursday, August 30, 2007

[NT] Motorola Timbuktu Multiple Buffer Overflow Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Motorola Timbuktu Multiple Buffer Overflow Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Motorola Inc.'s <http://netopia.com/software/products/tb2/> Timbuktu Pro
is a remote control software which allows remote access to a computer's
desktop. It is available for Mac OS X and Windows systems and provides
integration with Skype and SSH.

Remote exploitation of multiple buffer overflow vulnerabilities within
Motorola Inc.'s Timbuktu allows attackers to crash the service or
potentially execute arbitrary code with SYSTEM privileges.

DETAILS

Vulnerable Systems:
* Motorola Inc.'s Timbuktu Pro for Windows version 8.6.3.1367.
* (Older versions are suspected to be vulnerable).

The first issue exists within the handling of malformed application level
protocol requests. Certain requests lead to an arbitrary length overflow
of a buffer located on the heap.

The second vulnerability exists within the processing of log in requests.
By specifying an overly long user name, it is possible to cause heap
corruption.

The third vulnerability specifically exists within the "Scanner"
functionally. By running a malicious socket server on TCP port 407, an
attacker is able to cause a buffer overflow with a malformed "HELLO"
response packet.
Exploitation of these vulnerabilities allows attackers to crash the
Timbuktu Pro server or potentially execute arbitrary code with SYSTEM
privileges.

In all cases, no authentication credentials are required to access the
vulnerable code. In order to exploit the first two vulnerabilities, the
attacker needs only the ability to initiate a session with the Timbuktu
service. This service typically runs on TCP or UDP port 407.

The third vulnerability requires access to the local network since the
problem lies in the handling of a response from a scanned server.
Additionally, an attacker would need to persuade a user to attempt to
connect to the malicious server.

Workaround:
Employing firewalls to limit access to the affected service's open ports
(TCP and UDP port 407) can help prevent potential exposure to these
vulnerabilities.

Vendor Status:
Motorola Inc. has addressed these vulnerabilities by releasing version
8.6.5 of Timbuktu Pro for Windows. For more information, consult the
release notes at the following URL.

<ftp://ftp-xo.netopia.com/evaluation/docs/timbuktu/win/865/relnotes/TB2Win865Evalrn.pdf> ftp://ftp-xo.netopia.com/evaluation/docs/timbuktu/win/865/relnotes/TB2Win865Evalrn.pdf

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4221>
CVE-2007-4221

Disclosure Timeline:
* 07/18/2007 - Initial vendor notification
* 07/19/2007 - Initial vendor response
* 08/27/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=590>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=590

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment