| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Jun 2010 22:12:16 +0200 From: Nicolas Grégoire <nicolas.gregoire@...rri.fr> To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk Subject: SFCB vulnerabilities [=] Product overview SBLIM SFCB is an Open Source implementation of a WBEM CIM broker. WBEM is a set of technologies aimed to monitor and administer (larges) pools of computing ressources, applications, hardware. It's used by computers management tools like HP Systems Insight Manager, VMware vSphere or IBM Director. SFCB usually listens on TCP ports 5988 (HTTP) or 5989 (HTTPS) and is used in many Linux distributions and some VMware / Dell products. [=] Vulnerabilities * CVE-2010-1937 (SFCB bug #3001896) : pre-auth remote heap overflow using a forged Content-Length header When parsing a HTTP request, SFCB will use any positive Content-Length value to allocate a buffer. Then, memcpy tries to copy the user-provided POST data in this buffer. By sending a small value in the Content-Length header and more data in the POST body, it's possible to overflow the previously allocated heap buffer. Vulnerable versions : up to 1.3.7 * CVE-2010-2054 (SFCB bug #3001915) : pre-auth remote integer overflow using a forged Content-Length header If the configuration option "httpMaxContentLength" is explicitly set to 0, SFCB will only check that the Content-Length value is positive and lower than UINT_MAX and use it (adding 8) to allocate a buffer. Then, memcpy tries to copy the user-provided POST data in this buffer. By sending a value between UINT_MAX-7 and UINT_MAX-1, it is possible to overflow a buffer of size 1 to 7. Vulnerable versions : from 1.3.4 to 1.3.7 [=] Note about VMware products VMware ESXi 3.5, ESXi 4 and ESX 4 are running by default a modified version of SFCB (v1.3.3 in ESX 4). However they were tested as non vulnerable : - CVE-2010-1937 has been silently patched in WMware products - CVE-2010-2054 doesn't affect versions lower than 1.3.4 [=] Mitigating factors None : - SSL authentication isn't used by SFCB - bugs are triggered before any HTTP-layer credential check - POST and M-POST are default methods used by WBEM [=] Vectors These vulnerabilities can be triggered by default on port TCP/5988 (HTTTP) or TCP/5989 (HTTPS), using POST or M-POST requests. [=] Solution Upgrade to version 1.3.8 [=] Links SBLIM SFCB : http://sourceforge.net/apps/mediawiki/sblim/index.php?title=Sfcb WBEM : http://en.wikipedia.org/wiki/Web-Based_Enterprise_Management CVE-2010-1937 : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1937 CVE-2010-2054 : http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2054 SFCB bug #3001896 : http://sourceforge.net/tracker/?func=detail&aid=3001896&group_id=128809&atid=712784 SFCB bug #3001915 : http://sourceforge.net/tracker/?func=detail&aid=3001915&group_id=128809&atid=712784 Regards, Nicolas Grégoire / Agarri _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists