[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1275423136.3021.737.camel@new-desktop>
Date: Tue, 01 Jun 2010 22:12:16 +0200
From: Nicolas Grégoire <nicolas.gregoire@...rri.fr>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: SFCB vulnerabilities
[=] Product overview
SBLIM SFCB is an Open Source implementation of a WBEM CIM broker. WBEM
is a set of technologies aimed to monitor and administer (larges) pools
of computing ressources, applications, hardware. It's used by computers
management tools like HP Systems Insight Manager, VMware vSphere or IBM
Director. SFCB usually listens on TCP ports 5988 (HTTP) or 5989 (HTTPS)
and is used in many Linux distributions and some VMware / Dell products.
[=] Vulnerabilities
* CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow
using a forged Content-Length header
When parsing a HTTP request, SFCB will use any positive Content-Length
value to allocate a buffer. Then, memcpy tries to copy the user-provided
POST data in this buffer. By sending a small value in the Content-Length
header and more data in the POST body, it's possible to overflow the
previously allocated heap buffer.
Vulnerable versions : up to 1.3.7
* CVE-2010-2054 (SFCB bug #3001915) : pre-auth remote integer overflow
using a forged Content-Length header
If the configuration option "httpMaxContentLength" is explicitly set to
0, SFCB will only check that the Content-Length value is positive and
lower than UINT_MAX and use it (adding 8) to allocate a buffer. Then,
memcpy tries to copy the user-provided POST data in this buffer. By
sending a value between UINT_MAX-7 and UINT_MAX-1, it is possible to
overflow a buffer of size 1 to 7.
Vulnerable versions : from 1.3.4 to 1.3.7
[=] Note about VMware products
VMware ESXi 3.5, ESXi 4 and ESX 4 are running by default a modified
version of SFCB (v1.3.3 in ESX 4). However they were tested as non
vulnerable :
- CVE-2010-1937 has been silently patched in WMware products
- CVE-2010-2054 doesn't affect versions lower than 1.3.4
[=] Mitigating factors
None :
- SSL authentication isn't used by SFCB
- bugs are triggered before any HTTP-layer credential check
- POST and M-POST are default methods used by WBEM
[=] Vectors
These vulnerabilities can be triggered by default on port TCP/5988
(HTTTP) or TCP/5989 (HTTPS), using POST or M-POST requests.
[=] Solution
Upgrade to version 1.3.8
[=] Links
SBLIM SFCB :
http://sourceforge.net/apps/mediawiki/sblim/index.php?title=Sfcb
WBEM :
http://en.wikipedia.org/wiki/Web-Based_Enterprise_Management
CVE-2010-1937 :
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1937
CVE-2010-2054 :
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2054
SFCB bug #3001896 :
http://sourceforge.net/tracker/?func=detail&aid=3001896&group_id=128809&atid=712784
SFCB bug #3001915 :
http://sourceforge.net/tracker/?func=detail&aid=3001915&group_id=128809&atid=712784
Regards,
Nicolas Grégoire / Agarri
Powered by blists - more mailing lists