MWR InfoSecurity Security Advisory. Intersystems Caché CSP (Caché Server Pages) Stack Overflow. 17 th December 2009

Similar documents
MWR InfoSecurity Security Advisory. IBM Lotus Domino Accept- Language Stack Overflow. 20 th May Contents

12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents

MWR InfoSecurity Security Advisory. IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability. 14 th September 2010

MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability. 4th March 2010

MWR InfoSecurity Security Advisory. IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability. 4th March 2010

MWR InfoSecurity Security Advisory. Linux USB Device Driver - Buffer Overflow. 29 th October Contents

MWR InfoSecurity Security Advisory. Sophos RMS / TAO Component DoS Vulnerability. 16 th January Contents

MWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010

MWR InfoSecurity Security Advisory. Mozilla Firefox 64-Bit SetTextInternal () Heap Buffer Overflow. 23 rd June 2010

MWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Buffer-Overflow Attacks on the Stack

Buffer-Overflow Attacks on the Stack

Microsoft Office Protected-View Out-Of- Bound Array Access

Lecture 08 Control-flow Hijacking Defenses

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Abysssec Research. 1) Advisory information. 2) Not vulnerable version

Buffer Overflow Attack (AskCypert CLaaS)

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

SA31675 / CVE

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP

Autodesk AutoCAD DWG-AC1021 Heap Corruption

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

N e xt G e n e ra tio n S e c u rity S o f t w a r e Lt d. Blind Exploitation of Stack Overflow

Offensive Security My First Buffer Overflow: Tutorial

CSC 405 Computer Security Stack Canaries & ASLR

Leveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

CSC 2400: Computer Systems. Using the Stack for Function Calls

Is stack overflow still a problem?

CSC 8400: Computer Systems. Using the Stack for Function Calls

Program Exploitation Intro

Buffer Overflows Defending against arbitrary code insertion and execution

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Università Ca Foscari Venezia

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

SA28083 / CVE

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

Security Advisory IP Camera Vulnerability December

Function Call Convention

Abysssec Research. 1) Advisory information. 2) Vulnerability Information. Class 1- Stack overflow. Impact

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

com_apple_avebridge::submi tdata NULL Dereference

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Buffer Overflow. An Introduction

Bypassing DEP with WPM & ROP Case Study : Audio Converter by D.R Software Exploit and Document by Sud0 sud0.x90 [ at ] gmail.com sud0 [at] corelan.

Remote Buffer Overflow Exploits

Payload Already Inside: Data re-use for ROP Exploits

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CVE :

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Secure Systems Engineering

20: Exploits and Containment

Apology of 0days. Nicolás Waisman

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

FFRI,Inc. Monthly Research Understanding bypassing ASLR by a pointer at a fixed address. Ver

Abysssec Research. 1) Advisory information. 2) Vulnerable version. : Microsoft Excel SxView Record Parsing Memory Corruption

Vivisection of an Exploit: What To Do When It Isn't Easy. Dave Aitel Immunity, Inc

Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

The Geometry of Innocent Flesh on the Bone

Program Security and Vulnerabilities Class 2

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Vulnerabilities in C/C++ programs Part I

Basic Buffer Overflows

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Smashing the Buffer. Miroslav Štampar

CMPSC 497 Buffer Overflow Vulnerabilities

Exploits and gdb. Tutorial 5

CSE 565 Computer Security Fall 2018

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Defense against Code-injection, and Code-reuse Attack

Memory corruption vulnerability exposure can be mitigated through memory hardening practices

CS 499 Lab 3: Disassembly of slammer.bin I. PURPOSE

Advanced Buffer Overflow

Fundamentals of Computer Security

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Return Oriented Programming

CSE 509: Computer Security

ECE 471 Embedded Systems Lecture 22

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Secureworks Security Advisory Incorrect access control in AMAG Technologies Symmetry Edge Network Door Controllers

buffer overflow exploitation

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.

CSC 2400: Computer Systems. Using the Stack for Function Calls

Exploit Mitigation - PIE

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Buffer overflow background

Transcription:

MWR InfoSecurity Security Advisory Intersystems Caché CSP (Caché Server Pages) Stack Overflow 17 th December 2009 2009-12-17 Page 1 of 8

CONTENTS CONTENTS 1 Detailed Vulnerability Description... 5 1.1 Introduction... 5 1.2 Technical Background... 5 1.3 Exploit Information... 5 1.4 Dependencies... 6 2 Recommendations... 7 2009-12-17 Page 2 of 8

Intersystems Caché CSP (Caché Server Pages) Remote Code Execution Intersystems Caché CSP (Caché Server Pages) Remote Code Execution Package Name: Date: 2009-10-27 Affected Versions: Intersystems Caché CSP (Caché Server Pages) Stack Overflow 2009.1.1.504.0su_lnxrh6x86 has been tested, it is expected more platforms and older versions are also vulnerable. CVE Reference Author Severity Local/Remote Vulnerability Class Impact Vendor Response Exploit Details Included Affected OS Dependencies CVE-2009-4068 A. Plaskett High Risk Remote Stack Based Overflow Remote Code Execution Attempts to contact the vendor have been made via CPNI. However, no response has been forthcoming. The decision to release this advisory was taken after exploit code became publicly available. Limited details are included. Linux, Windows Network access to the vulnerable CSP httpd server. Overview: A stack based buffer overflow vulnerability exists in Intersystems Caché CSP (Caché Server Pages) Apache extension which can be exploited by a remote attacker to execute arbitrary code in the context of the web server s user rights. MWR InfoSecurity have made the decision to release this advisory due to the current existence of exploit code for the vulnerability within the public domain. It should be noted that this vulnerability was also found recently by other security researchers and exploits were created for the Metasploit and Canvas exploitation frameworks. MWR InfoSecurity independently discovered this vulnerability and disclosed details of it to the vendor through CPNI in October 2009. MWR InfoSecurity discovered and researched this issue on the Linux platform, whilst the Canvas and Metasploit exploits both target Microsoft Windows systems. This advisory details the vulnerability on the Linux platform and therefore provides further information about the issue that may be of value to interested parties. The following links provide more information about this vulnerability as documented by other security researchers: - http://www.securityfocus.com/bid/37177 http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/ex ploits/windows/http/intersystems_cache.rb 2009-12-17 Page 3 of 8

Intersystems Caché CSP (Caché Server Pages) Remote Code Execution https://forum.immunityinc.com/board/thread/1077/intersystems-cachebof/?page=1#post-1077 Impact: An attacker exploiting this vulnerability can cause arbitrary code to be executed in the context of the Apache process. Cause: The vulnerability arises from lack of bounds checking when copying data into a fixed size stack buffer. Interim Workaround: Introduce host based or network filtering controls to restrict access to the affected service to authorised IP addresses only although this might not be appropriate when legitimate access to the HTTP service is required. Solution: A full solution will required vendor intervention. Timeline: 2009-09-01 Vulnerability discovered on client test 2009-10-27 Advisory delivered to CPNI 2009-11-09 CVE number assigned. 2009-12-16 No vendor response, advisory released when exploit code became publicly available. 2009-12-17 Page 4 of 8

Detailed Vulnerability Description 1 Detailed Vulnerability Description 1.1 Introduction The Caché database is developed by InterSystems and is described as follows on the company s web site: CACHÉ is the innovative object database that runs SQL five times faster than relational databases. Caché enables rapid Web application development, extraordinary transaction processing speed, massive scalability, and real-time queries against transactional data - with minimal maintenance requirements. Source: http://www.intersystems.com/caché/index.html It is possible to access a Caché database through a web application by deploying Caché Server Pages (CSP) code. The CSP functionality is described as follows: Server Pages bring all the capabilities of Caché to the demanding environment of the Web, where rapid development and adaptability are as important as high performance and scalability. Caché eliminates the extra processing layers and system-level programming that make Web development difficult and Web applications sluggish. Compatible with off-the-shelf tools, Caché Server Pages are the simplest, quickest way to create superfast, massively scalable Web applications. Source: http://www.intersystems.com/caché/technology/components/csp/index.html 1.2 Technical Background The vulnerability exists due to a lack of bounds checking performed when copying data to a fixed sized stack buffer (256 bytes) using the strcpy function. An attacker can provide a sufficiently long HTTP GET request string which is processed by the CSP handler (csprt function) within the cspa22.so library. This request string will be copied into a fixed size stack buffer and will overflow into other data stored on the stack (causing memory corruption). 0x00140b44 <csprt+5015>: mov eax,dword PTR [ebp-0x188] ; 0x00140b4a <csprt+5021>: mov eax,dword PTR [eax+0x10] ; eax = &src 0x00140b4d <csprt+5024>: mov DWORD PTR [esp+0x4],eax ; push &src 0x00140b51 <csprt+5028>: lea eax,[ebp-0x8d2] 0x00140b57 <csprt+5034>: mov DWORD PTR [esp],eax ; push dest 0x00140b5a <csprt+5037>: call 0x119f10 <strcpy@plt> 1.3 Exploit Information In order to exploit this vulnerability an attacker can overflow the buffer into the saved return address stored on the stack. This can be achieved by crafting an HTTP GET request with an amount of data which overflows the return address. On the Linux RedHat version tested (2009.1.1.504.0su_lnxrh6x86) it was possible to overwrite the return address with 2041 bytes prefixed with the directory name /csp/. 2009-12-17 Page 5 of 8

Detailed Vulnerability Description The following Ruby code can be used to illustrate the vulnerability being triggered: require 'socket' # 2241 to overwrite EIP with 4 bytes overflow = "A" * 2241 request = "GET /csp/#{overflow} HTTP/1.0\r\n\r\n" s = TCPSocket.new('172.16.201.145',57772) s.write request The following output from gdb shows the saved return address overwritten by 0x41414141 (AAAA). (gdb) bt 5 #0 0x00140b5f in csprt () from /home/****/cache/csp/bin/cspa22.so #1 0x41414141 in?? () #2 0xb7e3f000 in?? () #3 0x00000002 in?? () #4 0xbfb9afb4 in?? () When the function csprt returns, the attacker controlled address will be popped off the stack and loaded into the instruction pointer (EIP register). This will allow an attacker to gain control of the flow of execution of the program. It should be noted that certain operating system/compiler security features prevent this form of exploitation on recent builds. However, it is possible to construct such an exploit that bypasses the protection mechanisms in place due to the large amount of memory corruption that occurs and the flexibility it offers an attacker. MWR InfoSecurity have produced proof of concept code for this vulnerability which allows attacker controlled code execution to occur in the context of the HTTP process. 1.4 Dependencies Exploiting this vulnerability relies on an attacker being able to send HTTP requests to the Apache server with the CSP handler installed. Therefore, network filtering could partially mitigate this vulnerability and would limit exploitation to those users/network devices. 2009-12-17 Page 6 of 8

Detailed Vulnerability Description 2 Recommendations It is recommended that the software should be upgraded to the latest stable and secure version when this becomes available from the vendor. Until then, it is possible to reduce the potential for exploitation by deploying network filtering to deny unauthorised users access to the Apache HTTP server with the CSP handler installed. 2009-12-17 Page 7 of 8

MWR Detailed InfoSecurity Vulnerability Description St. Clement House 1-3 Alencon Link Basingstoke, RG21 7SB Tel: +44 (0)1256 300920 Fax: +44 (0)1256 844083 mwrinfosecurity.com 2009-12-17 Page 8 of 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback