Multiple buffer overflows in Microsoft Dynamics GP (formerly Great Plains) 9.0 and earlier allow remote attackers to execute arbitrary code via (1) a crafted Distributed Process Manager (DPM) message to the (a) DPM component, or a (2) long string or (3) long IP address in a Distributed Process Server (DPS) message to the DPM or (b) DPS component.
Microsoft Dynamics GP versions 9.0 and earlier are vulnerable to multiple remote code execution (RCE) flaws due to buffer overflows in the Distributed Process Manager (DPM) and Distributed Process Server (DPS) components. Successful exploitation allows attackers to gain complete control of the affected systems, potentially leading to data breaches and significant operational disruption.
Step 1: Target Identification: The attacker identifies a Microsoft Dynamics GP server running a vulnerable version (9.0 or earlier). Step 2: Payload Crafting: The attacker crafts a malicious DPM or DPS message. This message contains either a crafted DPM message or a long string or IP address, designed to overflow a buffer within the vulnerable component. Step 3: Message Delivery: The attacker sends the crafted message to the target server, typically over the network. Step 4: Buffer Overflow Trigger: The vulnerable DPM or DPS component receives and processes the malicious message. Due to the lack of bounds checking, the oversized data overwrites the allocated buffer. Step 5: Code Execution: The buffer overflow corrupts adjacent memory, potentially overwriting the return address or other control flow data. This allows the attacker to redirect program execution to a location of their choosing, such as a shellcode payload injected into the overflowed buffer. Step 6: System Compromise: The attacker's shellcode executes, granting them control over the compromised system, including the ability to read, write, and execute arbitrary commands.
The vulnerability stems from insufficient bounds checking when handling messages within the DPM and DPS components of Microsoft Dynamics GP. Specifically, the software fails to properly validate the size of data received in DPM and DPS messages. This allows an attacker to send crafted messages containing overly long strings or IP addresses, leading to a buffer overflow. When the oversized data is written to a fixed-size buffer, it overwrites adjacent memory, potentially overwriting critical program data or control flow structures. This can lead to arbitrary code execution, allowing an attacker to inject and execute malicious code on the server. The root cause is a lack of input validation and secure coding practices in the handling of network messages.