ActFax Server Stack-Based Buffer Overflow Vulnerability Allowing Arbitrary Code Execution

A stack-based buffer overflow vulnerability has been identified in ActFax Server version 4.32. This issue arises in the 'Import Users from File' feature of the client interface, where the application improperly validates the length of tab-delimited fields in .exp files. This lack of validation leads to unsafe use of the strcpy() function during CSV parsing. An attacker can exploit this vulnerability by creating a malicious .exp file and importing it with the default character set 'ECMA-94 / Latin 1 (ISO 8859)'. Successful exploitation could allow for arbitrary code execution, potentially leading to a full system compromise. User interaction is required to trigger this vulnerability.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system, with the executed code running in the context of the user who imported the malicious .exp file. In the case of Windows XP, where ActFax runs as a service, the executed code would have SYSTEM privileges.

Reproduction

To reproduce this vulnerability, create a .exp file that takes advantage of the buffer overflow by including a payload that, when executed, provides access to the system or escalates privileges. The .exp file must be imported into ActFax Server 4.32 using the default character set 'ECMA-94 / Latin 1 (ISO 8859)'. This can be done through the 'Import Users from File' option in the client interface. Once the file is imported, the payload will be executed, leading to arbitrary code execution.