CVE-2016-1606
published 2016-07-03CVE-2016-1606: Multiple stack-based buffer overflows in COM objects in Micro Focus Rumba 9.4.x before 9.4 HF 13960 allow remote attackers to execute arbitrary code via (1)…
PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
45.55%
98.6th percentile
Multiple stack-based buffer overflows in COM objects in Micro Focus Rumba 9.4.x before 9.4 HF 13960 allow remote attackers to execute arbitrary code via (1) the NetworkName property value to ObjectXSNAConfig.ObjectXSNAConfig in iconfig.dll, (2) the CPName property value to ObjectXSNAConfig.ObjectXSNAConfig in iconfig.dll, (3) the PrinterName property value to ProfileEditor.PrintPasteControl in ProfEdit.dll, (4) the Data argument to the WriteRecords function in FTXBIFFLib.AS400FtxBIFF in FtxBIFF.dll, (5) the Serialized property value to NMSECCOMPARAMSLib.SSL3 in NMSecComParams.dll, (6) the UserName property value to NMSECCOMPARAMSLib.FirewallProxy in NMSecComParams.dll, (7) the LUName property value to ProfileEditor.MFSNAControl in ProfEdit.dll, (8) the newVal argument to the Load function in FTPSFTPLib.SFtpSession in FTPSFtp.dll, or (9) a long Host field in the FTP Client.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microfocus | rumba | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor COM object instantiation (via ActiveX/OLE) for the ProgIDs ObjectXSNAConfig.ObjectXSNAConfig, ObjectXMacro.ObjectXMacro, ProfileEditor.PrintPasteControl, FTXBIFFLib.AS400FtxBIFF, NMSECCOMPARAMSLib.SSL3, and NMSECCOMPARAMSLib.FirewallProxy — exploitation occurs by setting oversized property values on these COM objects. ↗
- →Alert on STATUS_STACK_BUFFER_OVERRUN (0xC0000409) or stack overflow exceptions (0xC00000FD) originating from Rumba DLLs: iconfig.dll, ProfEdit.dll, FtxBIFF.dll, NMSecComParams.dll, WdMacCtl.OCX, FTPSFtp.dll. ↗
- →Detect abnormally large string arguments (megabytes) passed to COM property setters such as NetworkName, CPName, PrinterName, Serialized, UserName, LUName, or function arguments Data/newVal in the affected Rumba COM objects. ↗
- →The PlayMacro function in ObjectXMacro.ObjectXMacro (WdMacCtl.OCX) is exploitable with ~272 bytes of junk + 4-byte EIP overwrite + shellcode space of ~6224 bytes; monitor for SEH-chain overwrites (NSEH/SEH pattern) in this COM object's call stack. ↗
- →Look for the magic value 0xBAADF00D appearing in registers (eax, esi) during crash analysis of ProfEdit.dll and FtxBIFF.dll — this is the Windows heap uninitialized memory marker indicating heap corruption during exploitation. ↗
- ·The vulnerability affects Rumba 9.4.x specifically versions 9.4.4058.0 and 9.4.0 SP0 Patch0; the fix is HF 13960. Detections should be scoped to these versions. ↗
- ·Multiple distinct products within the Rumba suite share the vulnerable COM objects; detections must cover all affected components including Rumba Desktop, AS400 File Transfer, FTP Client 4.5, and the RSS subsystem (NMSecComParams.dll). ↗
- ·Exploitation was confirmed only on Microsoft Windows 7 (Ultimate/Professional/Enterprise) SP1 x86; behavior on other Windows versions may differ. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28601.rumba-9-4-stack-buffer-overflow-vulnerabilities.aspxhttp://www.securityfocus.com/bid/91548http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5327.phphttps://cxsecurity.com/issue/WLB-2016050136http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28601.rumba-9-4-stack-buffer-overflow-vulnerabilities.aspxhttp://www.securityfocus.com/bid/91548http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5327.phphttps://cxsecurity.com/issue/WLB-2016050136
2016-07-03
Published