Microsoft Dynamics GP Multiple (4) Buffer Overflows

Notification Type: IBM Internet Security Systems Protection Advisory
Notification Date: June 30, 2008
Notification Version: 1.0
   
Name: Microsoft Dynamics GP Multiple (4) Buffer Overflows
Public disclosure/
In the wild date:		 June 30, 2008 (vuln disclosure)
CVE:

CVE-2006-5265 and CVE-2006-5266
Description:

The Microsoft Dynamics GP is vulnerable to four heap and stack-based buffer overflows. A remote attacker could overflow the buffer and execute arbitrary code or gain control of the affected system by sending malicious queries to the Distributed Process Server or Distributed Process Manager.
Discoverer: IBM X-Force

 

ISS Coverage
Product Content Version
Proventia Network IDS
Proventia Network IPS
Proventia Network MFS
Proventia Server (Linux)
RealSecure Network
RealSecure Server Sensor		 24.49 or 1.88
Proventia Desktop
Proventia Server IPS (Windows)		 epu or 1890
Propagation Techniques ISS Protection Available

remote exploit

DPS_Magic_Number_DoS
DPS_IpAddr_Overflow
DPS_String_Overflow

Oct 10, 2006

Detailed Description
Business Impact: Successful compromise of Microsoft Dynamics GP could expose confidential accounting, financial, and logistics information, information that is often considered extremely sensitive. X-Force has tracked numerous attacks where gaining access to this type of information was the main goal of the attacker.  Malicious modification of this information or even denial of service could have a devastating impact on a company’s ability to make accurate estimates of corporate financial performance.
CVSS (for XFID 25840-25843): Base Score: 10.0
  Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Adjusted Temporal Score: 7.4
  Exploitability: Unproven
Remediation Level: Official-Fix
Report Confidence: Confirmed
Affected Products: Any version of Great Plains prior to version 10.0 could be impacted. ISS X-Force has confirmed the vulnerabilities in Great Plains version 8 SP3, and the fix was released in Great Plains version 10.0.
Technical Description:

Microsoft Dynamics GP (formerly known as Great Plains) is a software system for managing and integrating finance, e-commerce, logistics, customer relationship, and human resources information in a business. Dynamics GP includes a Distributed Process Server and Manager that can be used to distribute to processing load for certain calculations across a number of different workstations.

Distributed Process Server and Manager listen for connections on TCP ports 1352 and 1351 respectively. Messages sent to these services conform to a proprietary protocol. The software copies data sent in this protocol into various heap and stack buffers depending on the context. While all of the data copies are bounded, they are often bounded by a value that is greater then the amount of memory that has been allocated, leading to a potential buffer overflow or denial of service.

Four vulnerabilities (XFID 25840, XFID 25841,XFID 25842, and XFID 25843) discovered by IBM X-Force related to this protocol are buffer overflows that allow remote code execution.  A fifth issue (XFID 25844), a Denial of Service vulnerability, was also discovered.

Remediation:

Patches are available for this issue. See References for details.

References
XFDB: http://xforce.iss.net/xforce/xfdb/25840
http://xforce.iss.net/xforce/xfdb/25841
http://xforce.iss.net/xforce/xfdb/25842
http://xforce.iss.net/xforce/xfdb/25843
http://xforce.iss.net/xforce/xfdb/25844
Microsoft: http://www.microsoft.com/dynamics/gp/product/10.mspx

Revision History
1.0 Initial publication.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.