exploit-db-mirror/exploits/windows/dos/15260.txt

Source: http://aluigi.org/adv/unirpcd_1-adv.txt
#######################################################################

                             Luigi Auriemma

Application:  Rocket Software UniData
              http://www.rocketsoftware.com/u2/products/unidata/
Versions:     <= 7.2.7.3806
Platforms:    Windows
Bugs:         various Denial of Service vulnerabilities in unirpcd.exe
Exploitation: remote, versus server
Date:         15 Oct 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"UniData® is an extended relational data server ideal for embedding in
a variety of industry-focused solutions."


#######################################################################

=======
2) Bugs
=======


The unirpc service listening on port 31438 is affected by various
Denial of Service vulnerabilities regarding the access of invalid zones
of memory.

Although the first vulnerability is a memory corruption problem where
the program calls recv() using a heap buffer and a huge amount of data
to copy (like 0x7fffffe8, decided by the attacker) in my tests it
didn't result exploitable.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/unirpcd_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15260.zip (unirpcd_1.zip)

#######################################################################

======
4) Fix
======


No fix.


#######################################################################