Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Bopup Communications Server Remote Buffer Overflow Vulnerability

Trustwave recently discovered a remotely exploitable issue in all current versions of "B Labs" Bopup Communications Server. The issues were discovered and confirmed to exist in version as detailed in the recently posted Trustwave advisory.

Bopup Communications Server runs on ports 19809/tcp and 19810/tcp, the services listening on port 19809/tcp contains a remotely exploitable buffer overflow in handling and parsing of packets prior to authentication. Through this, an attacker can execute arbitrary code on the remote host with the privileges of the Bopup Communication Server, namely SYSTEM. The issue occurs due to a lack of bounds validation in several calls to memcpy with user-definable length with the destination buffer allocated on the stack.

The Vulnerability

The issue was discovered during a concerted effort to reverse engineer the implementation and thus the protocol utilized by the Communications Server. The vulnerability was located in the handling of the outer packet format which is shown below,

[0x00] "\x79\xDF\x32\x01" # magic
[0x04] "\x00\x00\x00\x00" # op code
[0x08] "\x00\x00\x00\x00" # total length
[0x0C] "\x00\x00\x00\x00" # first block length
[0x10] "\x00\x00\x00\x00" # second block length
[0x14] "\x00\x00\x00\x00" # third block length

The issue relates to the handling of the first, second and third blocks of data. The server first reads the header into a structure stored on the stack, all lengths are left in host-byte order. Firstly a buffer is allocated on the heap with a length as defined by the header, 'total length', and said number of bytes is read into the newly allocated buffer from the socket through which the remote user is connected.

00405485 cmp dword [ss:ebp-0x28], ebx ; validate 'total length'
00405488 je 0x40550e
; 'total length' > 0
0040548e push dword [ss:ebp-0x28]
00405491 call sub_422739 ; malloc([ebp-0x28])
00405496 mov esi, eax
00405498 pop ecx
00405499 cmp esi, ebx
0040549b mov dword [ss:ebp-0x34], esi
0040549e je 0x405511

004054a0 mov eax, dword [ss:ebp-0x28]
004054a3 mov ecx, edi
004054a5 mov dword [ss:ebp-0x10], eax
004054a8 lea eax, dword [ss:ebp-0x10]
004054ab push eax
004054ac push esi
004054ad call sub_420e0c ; recv(), 'total-length' bytes
004054b2 test al, al
004054b4 je 0x405511

The server then proceeds to copy the newly read data from the heap allocated buffer to constant sized buffers stored on the stack thereby facilitating a remote buffer overflow.

; validate 'first block length'
004054b6 mov eax, dword [ss:ebp-0x24]
004054b9 cmp eax, ebx

004054bb je 0x4054d1
; 'first block length' > 0
004054bd push eax ; 'first block length'
004054be lea eax, dword [ss:ebp-0x12bc]
004054c4 push esi ; malloc([ebp-0x28])
004054c5 push eax ; ebp-0x12bc
; memcpy(ebp-0x12bc, esi, [ebp-0x24])
004054c6 call sub_421fd0
004054cb mov eax, dword [ss:ebp-0x24]
004054ce add esp, 0xc

The remainder of the buffer, namely the 'op' code value is validated against a maximal value between 0x80 and 0x9D.

00405514 mov ecx, dword [ss:ebp-0x2c]
00405517 lea edx, dword [ds:ecx-0x80]
0040551a cmp edx, 0x1d ; validate op code
0040551d ja 0x4059e3

Vulnerability Fixes

The vendor failed to respond to Trustwave within the permitted time period documented in the Trustwave responsible disclosure procedure despite Trustwave making several attempts to solicit a response. As such, we can confirm that the current and thus latest version of Bopup Communications Server is still vulnerable to the aforementioned vulnerability.

Please see our advisory for full details and proof-of-concept code: TWSL2016-020

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More