| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAD3Canef7S8wPCAgnoubzzNNvBWpPmJmJKiBdKnq8KjPnqdwmw@mail.gmail.com> Date: Wed, 24 May 2017 22:12:41 +1200 From: Matthew Daley <mattd@...fuzz.com> To: fulldisclosure@...lists.org Subject: [FD] CVE-2017-8895 / VTS17-006: UAF in Veritas Backup Exec Remote Agent for Windows Affected software: Veritas (previously Symantec) Backup Exec Remote Agent for Windows Affected versions: All versions before Backup Exec 16 FP1, Backup Exec 15 14.2.1180.3160, Backup Exec 2014 14.1.1187.1126 Vulnerability type: Use-after-free Impact: Unauthenticated remote code execution as SYSTEM user Solution: Install the latest version across all hosts with the agent installed Website: https://www.veritas.com/product/backup-and-recovery/backup-exec Vendor disclosure: https://www.veritas.com/content/support/en_US/security/VTS17-006.html Summary: The Backup Exec Remote Agent for Windows is vulnerable to a use-after-free in its handling of SSL/TLS-wrapped NDMP connections. If SSL/TLS is established on a NDMP connection, ended, and finally re-established, the agent will re-use previously freed SSL/TLS structures. This allows for remote code execution over an unauthenticated network connection. (Note: the requirement for authentication given in the MITRE CVE description is incorrect; no authentication is required.) Detail: The agent accepts NDMP connections on TCP port 10000. The vendor-specific `0xF383` NDMP packet type allows for NDMP connections to be wrapped in a SSL/TLS session. Sub-type `4` initiates the SSL/TLS handshake; after successfully completing this the client and server continue the NDMP session through the SSL/TLS session. The agent makes use of OpenSSL to handle these SSL/TLS sessions. When a SSL/TLS session is created, the agent creates necessary OpenSSL structures, including a `struct BIO` from the connection's associated network socket using `BIO_new_socket`. Upon the end of the SSL/TLS session, this structure is freed by a call to `BIO_free` through a call to `SSL_free`. However, if a SSL/TLS connection is then re-established on the same NDMP connection, the previously freed `BIO` is re-used in the new SSL/TLS session even though it is no longer allocated. The `BIO` is stored during the first connection setup and then retrieved during second connection setup as a member of the `CSecuritySSLConnection` class, despite the call to `SSL_free` previously freeing it. This leads to a use-after-free as the `BIO` contains a pointer to a structure (`BIO_METHOD *method`) of function pointers that are used to perform operations such as reading and writing from the wrapped `BIO` object (in this case, the network socket). By overwriting the previously allocated `BIO` with controlled data, it is possible to gain remote code execution when OpenSSL attempts to call one of these function pointers. - Matthew Daley _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists