lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4974798E.2010907@wintercore.com>
Date: Mon, 19 Jan 2009 14:01:02 +0100
From: vulns@...tercore.com
To: bugtraq@...urityfocus.com
Subject: [Wintercore Research ] Fujitsu SystemcastWizard Lite PXEService Remote
 Buffer Overflow.


[ Wintercore Research:: Advisory W01-0109 ]

html version: http://www.wintercore.com/advisories/advisory_W010109.html

1. Background

"SystemcastWizard Lite is support software for the setup of the
PRIMEQUEST system"

 2. Non-technical description

PXEService.exe is prone to a remote buffer overflow due to improper
bounds checking when handling PXE requests.

A remote unauthenticated  malicious attacker can take advantage of this
flaw to execute arbitrary code by sending a specially crafted UDP packet.

3.  Technical Description.

PXEService listens for PXE protocol Request. Incoming packets are copied
into a fixed buffer of 0x400 bytes. However the argument passed in to
"recvfrom()" as len is 0x5DC, therefore if an attacker is able to send a
specially crafted upd packet which exceeds that fixed length (0x400), an
overflow condition will occur. With enough crafting, an attacker can
take advantage of this flaw to execute arbitrary code on affected systems.


V4.0L11
MD5: 0C18CC97F02844445C805BB0986D6A4E

Module: PXEService.exe (32-bit)                             Overflow

.text:00402789 push eax ; fromlen
.text:0040278A lea ecx, [esp+20h+from]
.text:0040278E push ecx ; from
.text:0040278F push 0 ; flags
.text:00402791 push 5DCh ; len [FLAW]
.text:00402796 push offset byte_414970 ; fixed buffer 0x400
.text:0040279B push edx ; s
.text:0040279C mov [esp+34h+fromlen], 10h
.text:004027A4 call recvfrom ; BUFFER OVERFLOW

4. Exploiting it.

The exploit is trivial.

5.  References

http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html

Advisory (English)

http://www.fujitsu.com/global/services/computing/server/primequest/downloads/

Patch

http://primeserver.fujitsu.com/primequest/products/os/windows2008.html
(Japanese)
http://primeserver.fujitsu.com/primequest/download/?from=relatedlinks
Patch (Japanese)

6.  Products Affected

SystemcastWizard Lite <= 2.0

7.  Credits

Vulnerability discovered and researched by Ruben Santamarta, Wintercore.

8.  Disclosure Timeline

05/26/2008	- Vendor Contacted
05/29/2008	- Vendor Acknowledged.
01/16/2009	- Coordinated disclosure

-- 

Wintercore
C/ Isla de Salvora, 180.
28400 Collado Villalba.
Spain
Phone: +(34) 91 849 98 89
www.wintercore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ